Getting Data In

how can I setup splunk to monitor syslog-ng and other other logs via the UF?

neomatrixgem
New Member

Hi,

Am a newbie to splunk, I am able to install splunk but i am not able to understand forwarders and where and how to use them.

e.g : 192.168.0.1 [Splunk Server running on Linux]
192.168.0.2 [ Apache running and MySQL ]
192.168.0.3 [ Syslog-ng server]

How to setup splunk so that it can monitor apache/mySQL and other services log and also the syslog. If you have any step-by-step doc please share it across, I read documentation but i didnt able to setup.
My second question is, do i need to install splunk-forwader in 192.168.0.2 and 3 so that the splunk server can talk to them? and where we need forwader and why. If i need to install splunk-forwader then how to configure it.

I know am asking silly question may be,but sorry am not able to follow the documentation.

Your help will be appreciated.

BR,
Neo

Tags (1)
0 Karma
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

It sounds like you've got a splunk indexer running on 192.168.0.1, and you want to install splunk forwarders at 192.168.0.2 and 192.168.0.3.

The first thing that you'd need to do would be to enable recieving on your splunk indexer. To do that, follow these instructions:

http://www.splunk.com/base/Documentation/latest/Deploy/Enableareceiver

Set up receiving

You enable receiving on a Splunk instance through Splunk Web or the CLI.
[edit] Set up receiving with Splunk Web

Use Splunk Manager to set up a receiver:

1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder.

2. Click the Manager link in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Receive data section.

5. Specify which TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

6. Click Save. You must restart Splunk to complete the process.
[edit] Set up receiving with Splunk CLI

To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path.

To enable receiving, enter:

./splunk enable listen <port> -auth <username>:<password>

For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd. 

Once you've configured the Receiver, it is time to configure your forwarders. You'll want to use the Universal Forwarder. The package needs to be installed on both 192.168.0.2 and 3, because a universal forwarder only forwards data from the place it is installed.
You'll also need to setup your inputs.conf file to monitor the folders or directories that you are interested in getting data from.

The instructions for deploying a universal forwarder are here:

http://www.splunk.com/base/Documentation/latest/Deploy/Deployanixdfmanually

This gives you a step by step procedure, so if things aren't working well, you'll need to explain what is wrong.

For information on what to configure in inputs.conf, see

http://www.splunk.com/base/Documentation/latest/admin/Inputsconf

Specifically, look at the bottom of the spec file for the example and then, if needed, you can go back up to reference particular settings to determine if they may be applicable to your Splunk instance.

I hope this information is helpful.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

It sounds like you've got a splunk indexer running on 192.168.0.1, and you want to install splunk forwarders at 192.168.0.2 and 192.168.0.3.

The first thing that you'd need to do would be to enable recieving on your splunk indexer. To do that, follow these instructions:

http://www.splunk.com/base/Documentation/latest/Deploy/Enableareceiver

Set up receiving

You enable receiving on a Splunk instance through Splunk Web or the CLI.
[edit] Set up receiving with Splunk Web

Use Splunk Manager to set up a receiver:

1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder.

2. Click the Manager link in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Receive data section.

5. Specify which TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

6. Click Save. You must restart Splunk to complete the process.
[edit] Set up receiving with Splunk CLI

To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path.

To enable receiving, enter:

./splunk enable listen <port> -auth <username>:<password>

For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd. 

Once you've configured the Receiver, it is time to configure your forwarders. You'll want to use the Universal Forwarder. The package needs to be installed on both 192.168.0.2 and 3, because a universal forwarder only forwards data from the place it is installed.
You'll also need to setup your inputs.conf file to monitor the folders or directories that you are interested in getting data from.

The instructions for deploying a universal forwarder are here:

http://www.splunk.com/base/Documentation/latest/Deploy/Deployanixdfmanually

This gives you a step by step procedure, so if things aren't working well, you'll need to explain what is wrong.

For information on what to configure in inputs.conf, see

http://www.splunk.com/base/Documentation/latest/admin/Inputsconf

Specifically, look at the bottom of the spec file for the example and then, if needed, you can go back up to reference particular settings to determine if they may be applicable to your Splunk instance.

I hope this information is helpful.

jbsplunk
Splunk Employee
Splunk Employee

From $SPLUNK_HOME/bin/ you can run the command 'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus >> filestatus.txt' This should tell you what the status of the input is, and which files have been read or not read.

0 Karma

neomatrixgem
New Member

Hi,
I have added [monitor:///var/log/acct] in the forwader inputs.conf file, everything seems working apart from loggint the psacct, i have configured psacct and the file where its logging in all the info is "acct" file. Am i doing something wrong in the configuration. As your suggestion i was looking into the log files, but not able to trace something related to psacct. Please help.

Regards,
Neo

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

You should be able to set up the inputs.conf file in a similar manner on the forwarder. If you look on the forwarder in $SPLUNK_HOME/var/log/splunk/ and search for the path to the input you created, you may see some data indicating what is happening.

If you found the answer acceptable, please click on the checkbox to accept it as being valid.

0 Karma

neomatrixgem
New Member

Hi,

Thanks i have solved the issue, it was issue with the indexer settings.

Now i need to configure the forwarder so that it can send the pacct log to my splunk server. I tried configure the same in the inputs.conf file in the forwarder but no luck.

Please help.

Regards,
Neo

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...