Solved: What is the best way to transfer logs to splunk fo...

royimad · ‎03-18-2013

My Use case:
1- I have a log file X ( a log generated from a web applications - errors.log ) that exist on a server A
2- Splunk is installed on server B
In order to monitor this logs, one solution 1 is to send the file X to splunk server B and then used the monitor options in inputs.conf file.

I was wondering if an alternative solution 2 could work in order to monitor this log. I need to know if i can use splunk universal forwarder to monitor the log on another machine but i don't know the step yet.

Another solution 3 i'm thinking of is to sent the logs to splunk server by email but i don't actually know if that could work.

Please i need to know if someone have faced this situation before? and what solution is preferable and what are the steps?

Ayn · ‎03-18-2013

Well that's exactly what the Universal Forwarder is for - reading logs on one system and forwarding them to a Splunk instance on another system.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Introducingtheuniversalforwarder

View solution in original post

sbrant_splunk · ‎03-18-2013

The best option is to install a universal forwarder on the server, where the logs are generated. The forwarder can send the logs to the indexer (your primary Splunk server).

royimad · ‎03-18-2013

Thanks, for your answer. should i install a splunk instance on where universal forwarder exist? could i use an open ports for that reason?- Can i perform 2 step forwards ?
Machine A with universal forwarder --> Machine B with universal forwarder --> Machine C with Splunk Instance.

Ayn · ‎03-18-2013

Well that's exactly what the Universal Forwarder is for - reading logs on one system and forwarding them to a Splunk instance on another system.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Introducingtheuniversalforwarder

royimad · ‎03-18-2013

My situation is this,on an online production Machine A servers their is errors logs that exist. I need to be able to monitor those logs using the universal forwarder but one of my requirement rules is do not open another port on the server for the splunk forwarder and i need to know if i can use existing opened port. The opened port is for Machine B so i need to know if i can use 2 steps forwards.

Ayn · ‎03-18-2013

Not sure what you're after. What do you mean by "use an open port"? What is step 2? Where did machine C come from?

I recommend that you read through the docs on the Universal Forwarder so you understand what it does and how you can use it. It sounds to me like you're overcomplicating things because you haven't read up on the available options.

royimad · ‎03-18-2013

Thanks, for your answer. should i install a splunk instance on where universal forwarder exist? could i use an open ports for that reason?- Can i perform 2 step forwards ?
Machine A with universal forwarder --> Machine B with universal forwarder --> Machine C with Splunk Instance.

What is the best way to transfer logs to splunk for monitoring?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?