Getting Data In

New Install - Ubuntu

Explorer

Hello,

I'm trialling Splunk purely as a syslog server, and have installed it on a windows 2003 server, and can recieve syslog information from other windows servers, however I'm not recieving anything from my Ubuntu server. I've modified the syslog.conf file and included . @"splunkserver" at the top of the file and restarted service but I don't get anything in splunk. Can't work out why. Help please. Thanks

Tags (3)
1 Solution

Builder

What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:

Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:

[tcpout]
defaultGroup = splunkServer

[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997

Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

Good luck and happy Splunking 🙂

View solution in original post

Explorer

Thank you

I've got Syslog information appearing in Splunk now but still nothing in *nix but i'm not too fussed about that as I just wanted the syslog info. Thank you for your help! Much appreciated.

0 Karma

Builder

Glad I could help! If you could mark this question as answered that'd be tops!

0 Karma

Builder

What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:

Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:

[tcpout]
defaultGroup = splunkServer

[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997

Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

Good luck and happy Splunking 🙂

View solution in original post

Explorer

I see. I've basically followed the guide at the following link http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux finishing at step 7. But just issuing the command

/opt/splunkforwarder/bin/splunk add monitor /var/log/

(I must add I am a novice when it comes to Ubuntu)

I've also configured the receiver on the splunk web interface, but still not seeing anything come through, I must be doing something wrong though...as i'm not sure what you mean by enabling forwarding through Splunk server as I don't see that anywhere.

0 Karma

Builder

The Universal Forwarder is essentially a pared down version of Splunk capable of collecting and forwarding logs to a central Splunk instance. That being said it's not mandatory to use it, and for your purposes it may be better to use the full version while you configure the collection of log files.

If you have installed the *nix app, then you have probably seen the setup. Enabling the directory input for '/var/log/' will pick up the syslog log files. When you're in the *nix app, enable forwarding through to your Splunk server, and make sure you configure your Splunk server to receive this "cooked" data on port 9997 and you should start seeing your log files come through.

0 Karma

Explorer

Thanks for the reply,

I have tried installing the linux forwarder and the *nix app and gone through the configuration, again the ubuntu server did not show up on the *nix app, i've not tried a universal forwarder, is that different?

0 Karma

Builder

I'd hate to say it, but this sounds more like a syslog issue on your Ubuntu box, seeing that you can receive syslog from your other servers. Have you tried installing a Universal Forwarder on your Ubuntu server to forward your syslog (and other) messages/logs?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!