Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deployment-Server Linux Sererclass Monitoring Lastlog- Do I need to install on the indexer and on the deployment server?

Codyy_Fast
Engager
‎09-12-2022 07:56 AM

Hello all,

I am new to Splunk and need a little help.

I have the following configuration:

Splunk Indexer Server.
Splunk Deployment Server.

I have installed Universal Forwarder on my clients and specified Deployment Server in the installation.

After installation, the clients report correctly to the Deployment Server. I have created two server classes.
One for Windows and one for Linux.

Server class Linux:

App "fwd_to_receiver" = the Splunk indexer server is specified here.
App "Linmess" = inputs.conf (here is defined what should be monitored)

My question now:

I would like to monitor the /var/log/lastlog file.
But this does not work with inputs.conf.

I have now installed a Splunk Add-on for Unix and linux.
How can I set this up so that my deployment server distributes a central configuration where the "Lastlog" file is monitored correctly and also the source type fits. Do I need to install the add-on on the indexer and on the deployment server?

Many thanks in advance!

best regards
Codyy_Fast

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-12-2022 09:53 PM

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-12-2022 09:53 PM

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Codyy_Fast
Engager
‎09-22-2022 04:22 AM

Hi, thanks for your Reply!

Everything worked, thank you!

I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.

 

Greetings!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...