I installed Universal Forwarder On Linux Machine and integrate it with Splunk , but their is no logs returned on Splunk Search Head , as per your Knowledge I`m currently working on distributed Splunk Enterprise .
Any Recommendations ?
I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.
When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?
OK. You downloaded and installed the UF. I assume you started it as well. But as you are apparently using a Deployment Server, did you configure your UF to connect to that DS?
I have specified a specific index so that we can send the logs to it, but when I search in the search head, there are no logs found.
Do I have to specify anything in the Input.conf file?
What do you mean by "I integrated my UF with Splunk"?
Also the usual questions.
1. Do you have _any_ events from this forwarder (especially forwarder's own logs in _internal index) in your Splunk?
2. Do you have connectivity from your UF to your receiving component(s)? Did you verify it manually?
3. Did you check your forwarder's logs ($SPLUNK_HOME/var/log/splunk/splunkd.log) for errors?
I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.
When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?
OK. Maybe you misunderstand how Splunk works. You don't "connect splunk to a linux server". You install UF on a server and (and that might be one of the parts you're missing) you're making it send events to Splunk.
So, did you verify any of those things I asked you earlier?