Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: Monitor remote host logs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitor remote host logs?
I can't understand that.
How to Splunk monitor log from remote linux log?
Universal Forwarder have been installed in the remote linux.
What I should do then?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@chaga You should write your inputs.conf and outputs.conf
sample inputs.conf
[monitor:///filepath to monitor]
index =
sourcetype =
host = yourhostname
sample outputs.conf
Run this command to create outputs.conf /opt/splunkforwarder/bin/splunk add forward-server :port
then restart - /opt/splunkforwarder/bin/splunk restart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sandyIscream i have added input and output.conf as below
[tcpout]
server = splunkserver:9997
[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997
[tcpout-server://splunkforwardserver:9997]
inputs.conf
[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did your data started coming to your splunk instance ? @chaga
If not then let me know where exactly your are facing the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, the data didnot came up. i have the following in my configuration.
i have added input and output.conf as below
[tcpout]
server = splunkserver:9997
[tcpout:default-autolb-group]
disabled = false
server = splunkserver:9997
[tcpout-server://splunkforwardserver:9997]
inputs.conf
[default]
[monitor:///var/log/messages]
index = main
sourcetype = access_common
host = splunkforwaderserver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should we configure indexer also?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure the splunk user, or whatever account is running splunk, has access to read /var/log/messages.
Also, just a note, the /var/log/messages file sourcetype is normally linux_messages_syslog:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
