Splunk Enterprise

What are some options for Forwarding OS logs from a Full Splunk Ent instance?

neerajs_81
Builder

Hi All,   Splunk 101 question . 

What are our options if we want to forward OS level logs ( For example: ssh user login/logout activity)  from a Deployment Server to our indexer.   As a DS is a full Splunk Enterprise instance, it is not recommended to put UF on the same host.    Where do i need to configure to tell it to monitor the OS syslog file also ? Is it /etc/system/local/inputs.conf  ?  If yes, how to maintain this inputs.conf copy for  updates  as i assume we cannot push updates to this file from the same host itself .  Any best practices here ?

My DS is currently sending _audit, _introspection logs to the Idx ; which contain info about Splunk platform and not OS.
Hope i am clear.   Thank you

Tags (1)
0 Karma
1 Solution

m_pham
Splunk Employee
Splunk Employee

It sounds like what you want is the Splunk Add-on for Unix and Linux: https://splunkbase.splunk.com/app/833/

The technical add-on (TA) will need to be installed on the DS and configured with your custom inputs.conf for the TA.

View solution in original post

m_pham
Splunk Employee
Splunk Employee

It sounds like what you want is the Splunk Add-on for Unix and Linux: https://splunkbase.splunk.com/app/833/

The technical add-on (TA) will need to be installed on the DS and configured with your custom inputs.conf for the TA.

neerajs_81
Builder

Thank you for responding.  The release notes of the TA says it needs to be put on a forwarder.  But DS is a full Splunk Ent install.  Should we still install in the DS then ?  Alternatively, would configuring the local inputs.conf of the /opt/splunk/etc/system/local directory on DS by adding monitor stanzas also work ?

neerajs_81_0-1660280598345.png

 

0 Karma

m_pham
Splunk Employee
Splunk Employee

Splunk Enterprise server can forward data: https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Aboutforwardingandreceivingdata#:~:tex....

 

Best practice is for your custom inputs is in a separate addon - example: /opt/splunk/etc/apps/my_custom_app/local/inputs.conf

You should watch this to learn the basics of Splunk Administration: https://www.youtube.com/watch?v=O_w7rSWlHJs

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...