Getting Data In

What is the best way to monitor a random directory?

Crashfry
Path Finder

With a clustered index environment, we have typically used the deployment server for the push mechanism to the universal forwards etc.

Now on random servers, we want to monitor for specific actions in directories not covered by a previous add-on for say, the linux add on. I want to monitor a random directory — what is the best way to accomplish this?

Is using the add-monitor command individually on the those servers the best way to handle this?

Thanks in advance!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You shouldn't be allowing anyone, including yourself, to use the CLI to touch your forwarders for that is the path to madness. It's also a potential security hole.

It's better to create a one-off app on the deployment server and push it to the few forwarders that need it. By doing that, you keep all of your configurations in one place (the DS) where they are easier to manage.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You shouldn't be allowing anyone, including yourself, to use the CLI to touch your forwarders for that is the path to madness. It's also a potential security hole.

It's better to create a one-off app on the deployment server and push it to the few forwarders that need it. By doing that, you keep all of your configurations in one place (the DS) where they are easier to manage.

---
If this reply helps you, an upvote would be appreciated.

Crashfry
Path Finder

Thanks for the response, so your saying when dealing these types of items, the easiest way is having a server class for them, create the input needed to monitor " x " and push out to those for monitoring on that end. I see where that is easier for sure on that end, just a PITA for situations where it's a single log file you want to collect from one or two servers. But i see where your going with it, one and two servers turns into multiple servers down the line..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, that's what I'm saying. When those one or two servers start behaving oddly, you'll appreciate having all of the configs on the DS and not having to sign in to each one to review their .conf files for errors.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Crashfry
Path Finder

I appreciate the thoughts and help - have already made the changes and agree this will be a lot easier to manage. So thank you!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...