Getting Data In

New Install - Ubuntu

GLC2012
Explorer

Hello,

I'm trialling Splunk purely as a syslog server, and have installed it on a windows 2003 server, and can recieve syslog information from other windows servers, however I'm not recieving anything from my Ubuntu server. I've modified the syslog.conf file and included . @"splunkserver" at the top of the file and restarted service but I don't get anything in splunk. Can't work out why. Help please. Thanks

Tags (3)
1 Solution

rturk
Builder

What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:

Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:

[tcpout]
defaultGroup = splunkServer

[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997

Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

Good luck and happy Splunking 🙂

View solution in original post

GLC2012
Explorer

Thank you

I've got Syslog information appearing in Splunk now but still nothing in *nix but i'm not too fussed about that as I just wanted the syslog info. Thank you for your help! Much appreciated.

0 Karma

rturk
Builder

Glad I could help! If you could mark this question as answered that'd be tops!

0 Karma

rturk
Builder

What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:

Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:

[tcpout]
defaultGroup = splunkServer

[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997

Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

Good luck and happy Splunking 🙂

GLC2012
Explorer

I see. I've basically followed the guide at the following link http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux finishing at step 7. But just issuing the command

/opt/splunkforwarder/bin/splunk add monitor /var/log/

(I must add I am a novice when it comes to Ubuntu)

I've also configured the receiver on the splunk web interface, but still not seeing anything come through, I must be doing something wrong though...as i'm not sure what you mean by enabling forwarding through Splunk server as I don't see that anywhere.

0 Karma

rturk
Builder

The Universal Forwarder is essentially a pared down version of Splunk capable of collecting and forwarding logs to a central Splunk instance. That being said it's not mandatory to use it, and for your purposes it may be better to use the full version while you configure the collection of log files.

If you have installed the *nix app, then you have probably seen the setup. Enabling the directory input for '/var/log/' will pick up the syslog log files. When you're in the *nix app, enable forwarding through to your Splunk server, and make sure you configure your Splunk server to receive this "cooked" data on port 9997 and you should start seeing your log files come through.

0 Karma

GLC2012
Explorer

Thanks for the reply,

I have tried installing the linux forwarder and the *nix app and gone through the configuration, again the ubuntu server did not show up on the *nix app, i've not tried a universal forwarder, is that different?

0 Karma

rturk
Builder

I'd hate to say it, but this sounds more like a syslog issue on your Ubuntu box, seeing that you can receive syslog from your other servers. Have you tried installing a Universal Forwarder on your Ubuntu server to forward your syslog (and other) messages/logs?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...