What are best practices for logging to splunk?

shanemhartley · ‎11-05-2024

We have logs that are written to

/var/log

/var/log/audit

We need to keep these for 365 days, and want to ensure that we are following best practices, is there a set of configuration settings we can follow to ensure we're following best practices?

Ultimately, we want to ensure we have log retention, and that /var/log is not a cluttered mess.

Thank you!

gcusello · ‎11-05-2024

Hi @shanemhartley ,

ingestion in Splunk is usually done using a Technical Add-On , in your case the Splunk_TA_nix (https://splunkbase.splunk.com/app/833).

You have to install this add-on on the Universal Forwarder enabling the input stanzas you need.

If you want to store these logs in a defined index (instead of main), you have also to add to each enabled input stanza the option:

index = <your_index>

Then you have to install this add-on also on your Search Head or your Stand Alone Splunk Server.

In this way you have the logs correctly parsed and usable.

For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain and there are also more videos.

Ciao.

Giuseppe

What are best practices for logging to splunk?

Linux

syslog

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services