Reporting

What is the best way to transfer logs to splunk for monitoring?

royimad
Builder

My Use case:
1- I have a log file X ( a log generated from a web applications - errors.log ) that exist on a server A
2- Splunk is installed on server B
In order to monitor this logs, one solution 1 is to send the file X to splunk server B and then used the monitor options in inputs.conf file.

I was wondering if an alternative solution 2 could work in order to monitor this log. I need to know if i can use splunk universal forwarder to monitor the log on another machine but i don't know the step yet.

Another solution 3 i'm thinking of is to sent the logs to splunk server by email but i don't actually know if that could work.

Please i need to know if someone have faced this situation before? and what solution is preferable and what are the steps?

0 Karma
1 Solution

Ayn
Legend

Well that's exactly what the Universal Forwarder is for - reading logs on one system and forwarding them to a Splunk instance on another system.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Introducingtheuniversalforwarder

View solution in original post

sbrant_splunk
Splunk Employee
Splunk Employee

The best option is to install a universal forwarder on the server, where the logs are generated. The forwarder can send the logs to the indexer (your primary Splunk server).

royimad
Builder

Thanks, for your answer. should i install a splunk instance on where universal forwarder exist? could i use an open ports for that reason?- Can i perform 2 step forwards ?
Machine A with universal forwarder --> Machine B with universal forwarder --> Machine C with Splunk Instance.

0 Karma

Ayn
Legend

Well that's exactly what the Universal Forwarder is for - reading logs on one system and forwarding them to a Splunk instance on another system.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Introducingtheuniversalforwarder

royimad
Builder

My situation is this,on an online production Machine A servers their is errors logs that exist. I need to be able to monitor those logs using the universal forwarder but one of my requirement rules is do not open another port on the server for the splunk forwarder and i need to know if i can use existing opened port. The opened port is for Machine B so i need to know if i can use 2 steps forwards.

0 Karma

Ayn
Legend

Not sure what you're after. What do you mean by "use an open port"? What is step 2? Where did machine C come from?

I recommend that you read through the docs on the Universal Forwarder so you understand what it does and how you can use it. It sounds to me like you're overcomplicating things because you haven't read up on the available options.

0 Karma

royimad
Builder

Thanks, for your answer. should i install a splunk instance on where universal forwarder exist? could i use an open ports for that reason?- Can i perform 2 step forwards ?
Machine A with universal forwarder --> Machine B with universal forwarder --> Machine C with Splunk Instance.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...