I can't understand that.
How to Splunk monitor log from remote linux log?
Universal Forwarder have been installed in the remote linux.
What I should do then?
@chaga You should write your inputs.conf and outputs.conf
sample inputs.conf
[monitor:///filepath to monitor]
index =
sourcetype =
host = yourhostname
sample outputs.conf
Run this command to create outputs.conf /opt/splunkforwarder/bin/splunk add forward-server :port
then restart - /opt/splunkforwarder/bin/splunk restart
@sandyIscream i have added input and output.conf as below
[tcpout]
server = splunkserver:9997
[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997
[tcpout-server://splunkforwardserver:9997]
inputs.conf
[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver
Did your data started coming to your splunk instance ? @chaga
If not then let me know where exactly your are facing the issue.
Unfortunately, the data didnot came up. i have the following in my configuration.
i have added input and output.conf as below
[tcpout]
server = splunkserver:9997
[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997
[tcpout-server://splunkforwardserver:9997]
inputs.conf
[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver
Should we configure indexer also?
Make sure the splunk user, or whatever account is running splunk, has access to read /var/log/messages.
Also, just a note, the /var/log/messages file sourcetype is normally linux_messages_syslog:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes