What are best practices for logging to splunk?

shanemhartley · ‎11-05-2024

We have logs that are written to

/var/log

/var/log/audit

We need to keep these for 365 days, and want to ensure that we are following best practices, is there a set of configuration settings we can follow to ensure we're following best practices?

Ultimately, we want to ensure we have log retention, and that /var/log is not a cluttered mess.

Thank you!

gcusello · ‎11-05-2024

Hi @shanemhartley ,

ingestion in Splunk is usually done using a Technical Add-On , in your case the Splunk_TA_nix (https://splunkbase.splunk.com/app/833).

You have to install this add-on on the Universal Forwarder enabling the input stanzas you need.

If you want to store these logs in a defined index (instead of main), you have also to add to each enabled input stanza the option:

index = <your_index>

Then you have to install this add-on also on your Search Head or your Stand Alone Splunk Server.

In this way you have the logs correctly parsed and usable.

For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain and there are also more videos.

Ciao.

Giuseppe

What are best practices for logging to splunk?

Linux

syslog

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Are you a member of the Splunk Community?

What are best practices for logging to splunk?

Linux

syslog

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...