Getting Data In

What is the best way to monitor a random directory?

Path Finder

With a clustered index environment, we have typically used the deployment server for the push mechanism to the universal forwards etc.

Now on random servers, we want to monitor for specific actions in directories not covered by a previous add-on for say, the linux add on. I want to monitor a random directory — what is the best way to accomplish this?

Is using the add-monitor command individually on the those servers the best way to handle this?

Thanks in advance!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You shouldn't be allowing anyone, including yourself, to use the CLI to touch your forwarders for that is the path to madness. It's also a potential security hole.

It's better to create a one-off app on the deployment server and push it to the few forwarders that need it. By doing that, you keep all of your configurations in one place (the DS) where they are easier to manage.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

You shouldn't be allowing anyone, including yourself, to use the CLI to touch your forwarders for that is the path to madness. It's also a potential security hole.

It's better to create a one-off app on the deployment server and push it to the few forwarders that need it. By doing that, you keep all of your configurations in one place (the DS) where they are easier to manage.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Path Finder

Thanks for the response, so your saying when dealing these types of items, the easiest way is having a server class for them, create the input needed to monitor " x " and push out to those for monitoring on that end. I see where that is easier for sure on that end, just a PITA for situations where it's a single log file you want to collect from one or two servers. But i see where your going with it, one and two servers turns into multiple servers down the line..

0 Karma

SplunkTrust
SplunkTrust

Yes, that's what I'm saying. When those one or two servers start behaving oddly, you'll appreciate having all of the configs on the DS and not having to sign in to each one to review their .conf files for errors.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

I appreciate the thoughts and help - have already made the changes and agree this will be a lot easier to manage. So thank you!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!