Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitor remote host logs?

chaga
New Member
‎08-30-2019 02:40 AM

I can't understand that.
How to Splunk monitor log from remote linux log?
Universal Forwarder have been installed in the remote linux.
What I should do then?

Tags (1)
0 Karma
Reply

sandyIscream
Communicator
‎08-30-2019 03:44 AM

@chaga You should write your inputs.conf and outputs.conf

sample inputs.conf

[monitor:///filepath to monitor]
index =
sourcetype =
host = yourhostname

sample outputs.conf

Run this command to create outputs.conf /opt/splunkforwarder/bin/splunk add forward-server :port
then restart - /opt/splunkforwarder/bin/splunk restart

0 Karma
Reply

chaga
New Member
‎08-30-2019 04:11 AM

@sandyIscream i have added input and output.conf as below
[tcpout]
server = splunkserver:9997

[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997

[tcpout-server://splunkforwardserver:9997]

inputs.conf

[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver

0 Karma
Reply

sandyIscream
Communicator
‎09-02-2019 07:13 PM

Did your data started coming to your splunk instance ? @chaga

If not then let me know where exactly your are facing the issue.

0 Karma
Reply

chaga
New Member
‎09-03-2019 12:04 AM

Unfortunately, the data didnot came up. i have the following in my configuration.

i have added input and output.conf as below
[tcpout]
server = splunkserver:9997

[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997

[tcpout-server://splunkforwardserver:9997]

inputs.conf

[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver

0 Karma
Reply

chaga
New Member
‎09-03-2019 06:03 AM

Should we configure indexer also?

0 Karma
Reply

solarboyz1
Builder
‎08-30-2019 06:35 AM

Make sure the splunk user, or whatever account is running splunk, has access to read /var/log/messages.

Also, just a note, the /var/log/messages file sourcetype is normally linux_messages_syslog:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...