Splunk Enterprise

Deployment-Server Linux Sererclass Monitoring Lastlog- Do I need to install on the indexer and on the deployment server?

Codyy_Fast
Engager

Hello all,

I am new to Splunk and need a little help.

I have the following configuration:

Splunk Indexer Server.
Splunk Deployment Server.

I have installed Universal Forwarder on my clients and specified Deployment Server in the installation.

After installation, the clients report correctly to the Deployment Server. I have created two server classes.
One for Windows and one for Linux.

Server class Linux:

App "fwd_to_receiver" = the Splunk indexer server is specified here.
App "Linmess" = inputs.conf (here is defined what should be monitored)

My question now:

I would like to monitor the /var/log/lastlog file.
But this does not work with inputs.conf.

I have now installed a Splunk Add-on for Unix and linux.
How can I set this up so that my deployment server distributes a central configuration where the "Lastlog" file is monitored correctly and also the source type fits. Do I need to install the add-on on the indexer and on the deployment server?

Many thanks in advance!

best regards
Codyy_Fast

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Codyy_Fast
Engager

Hi, thanks for your Reply!

Everything worked, thank you!

I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.

 

Greetings!

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...