Splunk Enterprise

Deployment-Server Linux Sererclass Monitoring Lastlog- Do I need to install on the indexer and on the deployment server?

Codyy_Fast
Engager

Hello all,

I am new to Splunk and need a little help.

I have the following configuration:

Splunk Indexer Server.
Splunk Deployment Server.

I have installed Universal Forwarder on my clients and specified Deployment Server in the installation.

After installation, the clients report correctly to the Deployment Server. I have created two server classes.
One for Windows and one for Linux.

Server class Linux:

App "fwd_to_receiver" = the Splunk indexer server is specified here.
App "Linmess" = inputs.conf (here is defined what should be monitored)

My question now:

I would like to monitor the /var/log/lastlog file.
But this does not work with inputs.conf.

I have now installed a Splunk Add-on for Unix and linux.
How can I set this up so that my deployment server distributes a central configuration where the "Lastlog" file is monitored correctly and also the source type fits. Do I need to install the add-on on the indexer and on the deployment server?

Many thanks in advance!

best regards
Codyy_Fast

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Codyy_Fast
Engager

Hi, thanks for your Reply!

Everything worked, thank you!

I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.

 

Greetings!

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...