Getting Data In

splunk forwarder takes only alert data from logs

hammad_yasir
Loves-to-Learn Everything

Hi i hope you will be fine.i need your help.i want splunk forwarder only take alert data from logs?how i can tell the splunk forwarder which is called Splunk universal forwarder to take only alert data from logs.let say i have 5000 files of logs ,in which only 1000 files are Alert logs i want only 1000 logs files from splunk forwarder,help me for this issue,i hope you will help me. Thanks in advance

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

In general, you should not be just pointing your forwarder at a directory in which you have many different kinds of files and ingest them all into one big "sack".

Every type of log files should have their own sourcetype, so splunk knows that, for example /var/log/exim/main.log* are the exim log files (and have to be parsed accordingly) and /var/log/httpd/access.log* are apache httpd files and are treated according to their format.

So in your inputs.conf you should set appropriate definitions of inputs with paths pointing at specific subsets of files. So instead of just [monitor://var/log/*] to get all logs you should have more precisely specified paths like [monitor://var/log/named/*] and so on.

0 Karma

hammad_yasir
Loves-to-Learn Everything

thanks.give me exmaple for inputs.conf i want all the logs from ssh logins in /var/logs tell me syntax for this

0 Karma

hammad_yasir
Loves-to-Learn Everything

let say when new data come in local var/log/ in linux local Machine where splunk forwarder are installed how i know this is a Alert data.give me examples for this.i want alert related to viruses when new virus comeback in var/log directory ,how to tell splunk forward this is a alert data.i know where i can config inputs.cong in system/local folder of splunk forwarder.help me

0 Karma

danielcj
Communicator

Hello,

You should create an inputs.conf file that will monitor this directory and collect only the Alert Logs files. 

You can create an new app and place the inputs.conf file on the /local/ folder of the app or add this inputs.conf file directly on the $SPLUNK_HOME/etc/system/local/ of your splunk universal forwarder. 

Make sure that you will collect only the desired logs if they are in the same directory of the other logs. Also, make sure the user that is running the splunkd process have the right permissions to read this directory.

An example of the inputs.conf file is the following:

[monitor://<YOUR_PATH_TO_ALERT_LOGS]
index = <INDEX_OF_YOUR_DATA>
sourcetype = <SOURCETYPE_OF_YOUR_DATA>
disabled = false

 

More information could be checked on the official docs: https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Monitorfilesanddirectorieswithinputs.conf

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...