Hi, im posting from a small IT company who looks after x amount of clients. We want to be able to have splunk monitor the remote SBS boxes, (both sbs2003 and 2008), looking for errors in the event logs and when there is a problem with a server, such as it goes offline or looses a connection to WAN or LAN. Is this possible in splunk? can someone provide me with steps or good documentation
This is possible. Your best starting point for this would be the official Splunk documentation, specifically the Installation Manual, found here: http://www.splunk.com/base/Documentation/latest/Installation/WhatsintheInstallationManual
Be sure to read up the prerequisites and architecture diagrams, the Windows installation process, and advanced concepts such as forwarder to ship data from remote servers.
After reading through the Installation Manual, I recommend downloading a copy of Splunk and installing the evaluation copy on a Dev system. Start playing around with it, add some of your data, and go through the Admin Manual as you become more familiar with splunk. Put together some dev (or even live) systems and start monitoring some sbs servers. Once you got your process and searches down, adding more systems should be easy.
Splunk can "get data" from any place that has connectivity between the client(forwarder) and the indexer. This might mean additional firewall holes and/or VPN-style setups depending on your particular environment, but the only roadblock here is a lack of connectivity.
thanks for the reply, in regarding the remote servers, these are based off site, however we have a development Hyper-V box which is on a seperate internet line, am i right in thinking that splunk can still get data from these servers?