i have splunk on a linux box and need to get log info off other linux boxes on my network. i've looked over the doc's and it is just not clear how to do this. if some one could give me a explicit example of how to set this i would greatly appreciate it. fwiw i am new to splunk and just installed it for the first time yesterday.
There are many ways to accomplish this, but the "best" (from the standpoint of maximal features and minimal oddities) is to use Splunk Light Forwarders on the "other" boxes. A Light Forwarder is a Splunk installation that has the SplunkLightForwarder App enabled. (What I mean by this is there isn't a separate install [as of Splunk 4.1 anyway] for "just" the Forwarder. You install the same RPM/DEB on every machine, and what it does is based on how you configure it.)
You will configure your indexer to listen on a "splunktcp" input, and configure your forwarder apps on your other machines to forward data to it.
Documentation wise, you'll want to start at http://www.splunk.com/base/Documentation/latest/Admin/Aboutforwardingandreceiving. That (and subsequent pages in the same section) covers pretty well how you go about configuring forwarding.
A simple method -- though not nearly as powerful or flexible as using a Lightweight Forwarder -- is to send your logs via Syslog. You can configure Splunk to listen on a network port, likely UDP:514 for Syslog (default).
*NIX hosts can be configured to send logs to remote systems (using Syslog) in much the same way you configure them to log locally. This is typically done in syslog.conf or rsyslog.conf.
Here's a reference to some examples of rsyslog.conf: http://www.rsyslog.com/doc/rsyslog_conf_examples.html
Here's a reference to some examples of syslog.conf: http://linux.about.com/od/commands/l/blcmdl5_syslogc.htm
Check your /etc folder and see which one controls your system's logging. It should have examples inside the conf file.
Thanks for the responses.
I've set up regular forwarding on one remote server and light forwarding on a second. As far as I can tell the major difference between the two is lower throughput and no parsing. Am I missing any other differences?
The lower throughput can be modified by changing adding an etc/system/local/limits.conf to override the default limiter if desired.
There are a few other subsystems that are disabled on a lwf, such as udp/tcp inputs.