Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Any way to fetch logs via ssh

hatim
New Member
‎12-13-2011 12:45 AM

I have a splunk server and ssh access to a server with read-only access to logs. I can ssh from the machine on which I have splunk server.

Is there a way with which I can fetch the logs and index them (and do further processing). It will be a hurdle to install splunk forwarder on the machine which has the logs (it's in production and hence under tight control)

Tags (1)
0 Karma
Reply

joerogersLMB
Engager
‎10-02-2013 12:43 PM

I had the same dilemma with a remote server, and sshfs worked well.

I mounted the remote /var/log directory to a local server running splunkforwarder. Added into inputs.conf, restarted and boom: remote logs ingesting.

Here's the basic steps for SSHFS for debian based OS, as tested on Linux Mint 15

sudo apt-get install sshfs 
sudo modprobe fuse 
sudo adduser fuse 
sudo chown root:fuse /dev/fuse 
mkdir ~/remoteserv 
sshfs -o allow_other username@ipaddress:/var/log ~/remoteserv

to unmount:
fusermount -u ~/remoteserv

[I'll leave auto-mounting in /etc/fstab as a google exercise.]

Add into etc/system/local/inputs.conf

[monitor:///pathto/remoteserv_dir/]
disabled = false
host = remoteserv_hostname
index = optional_index_name
sourcetype = syslog

And restart your Splunk forwarder.

0 Karma
Reply

Ayn
Legend
‎12-13-2011 12:53 AM

Three possible approaches come to mind:

  1. Create a SSH tunnel and send Splunk forwarder traffic through that.
  2. Use a FUSE SSH filesystem like SSHFS to mount the remote filesystem over SSH, then read the logs from there.
  3. Create your own scripts that scp the logs from the remote host on a regular basis. You will need to set up SSH keys and agents to make the scripts work without explicitly needing to enter credentials interactively every time the script runs.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...