Hi All,
I am new to Splunk.
We have central server where different types of logs are generated.
How can I register or give reference of that Remote Server's URL in Splunk?
(i.e.
I want to register server url in Splunk so each time it fetches the updated indexed log details.
Thanks.
If you don't want to use a forwarder you can use a scripted input to reterive the logs via ssh. If you don't want to read the entire log you might have to use a little logic, tail, grep to only read new lines. The easiest way is to use the UF on your remote servers.
inputs.conf
#*nix
[script://./bin/sshscript.sh ./bin/catfiles.sh]
disabled = false
index = main
sourcetype = somelogtype
interval = 0 0 * * *
#sshscript.sh
#nix
#!/bin/bash
ssh root\@remoteServer 'bash -s' < $1
done
#catfiles.sh
#*nix
#!/bin/bash
for file in /var/log/; do fcontent=\$(cat $file) printf '\%s' "\${file}\n"${fcont}";done
For more info check my other post:
Right now if we want to check logs, we do ssh from linux terminal or through FTP.
You'll need a forwarder installed on that server so that the logs can get sent to Splunk to be indexed and searched centrally.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents
I will work on it once I go back.
I don't know about your outputs.conf settings. I would try something standard like you see in the outputs.conf example in our docs. This will send to server IP 10.10.1.155 on port 9997 which you have set up to recieve.
[tcpout:groupname]
server=10.10.1.155:9997
You can look here $SPLUNK_HOME/var/log/splunk for the splunkd log to see issues as well that might help.
I can see the entries. Now How can I make it work?
Go in the UI to Manager -> Forwarding and receiving and make sure you've got an entry there.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Enableareceiver#Set_up_receiving
[default]
host = localhost (My Workstation)
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
disabled = 0
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0
[tcpout]
defaultGroup = ..._9997
[tcpout:..._9997]
server = ...:9997
[tcpout-server://...:9997]
Just checking configuration and installation, After installing the forwarder on my machine, I can see, before only Splunk folder was there and now another folder SplunkForwarder is created. So there are two setup folders now, is this expected? Or I am missing something?
Please post your configuration file settings for forwarding and receiving and maybe that will let us help you on this issue.
Look in
On the forwarder look in
I have look into configuration files. Also I need to refer above links to check with my setup.
Are you set up for forwarding and receiving according to the docs?
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Enableareceiver
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd
while installing it ask for host detail two times with default port numbers, just to know where I can give my server details.
OK. Where? What part of the setup are you struggling with?
I have installed forwarder.
You'll need to post more details on the remote server. How are the logs on it accessed? Through CIFS, HTTP, FTP, ...