Re: Monitor remote host logs?

chaga · ‎08-30-2019

I can't understand that.
How to Splunk monitor log from remote linux log?
Universal Forwarder have been installed in the remote linux.
What I should do then?

sandyIscream · ‎08-30-2019

@chaga You should write your inputs.conf and outputs.conf

sample inputs.conf

[monitor:///filepath to monitor]
index =
sourcetype =
host = yourhostname

sample outputs.conf

Run this command to create outputs.conf /opt/splunkforwarder/bin/splunk add forward-server :port
then restart - /opt/splunkforwarder/bin/splunk restart

chaga · ‎08-30-2019

@sandyIscream i have added input and output.conf as below
[tcpout]
server = splunkserver:9997

[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997

[tcpout-server://splunkforwardserver:9997]

inputs.conf

[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver

sandyIscream · ‎09-02-2019

Did your data started coming to your splunk instance ? @chaga

If not then let me know where exactly your are facing the issue.

chaga · ‎09-03-2019

Unfortunately, the data didnot came up. i have the following in my configuration.

i have added input and output.conf as below
[tcpout]
server = splunkserver:9997

[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997

[tcpout-server://splunkforwardserver:9997]

inputs.conf

[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver

chaga · ‎09-03-2019

Should we configure indexer also?

solarboyz1 · ‎08-30-2019

Make sure the splunk user, or whatever account is running splunk, has access to read /var/log/messages.

Also, just a note, the /var/log/messages file sourcetype is normally linux_messages_syslog:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes

Monitor remote host logs?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!