Hi. I've installed splunk on two machines; one is the server I want to coalesce data from various sources, and the other is one of the sources. The machine I want to monitor is a typical linux webserver running apache. I've installed the universal forwarder on my webserver. I configured it to talk to the main splunk machine, and I've told it to monitor /var/log. The results in the web interface are, frankly, astoundingly disappointing. I can see the webserver under hosts, but the sources are:
/var/log/rpmpkgs.2
/var/log/dmesg
/var/log/yum.log
/var/log/prelink/prelink.log
This seems like a pretty basic task. This is a project I'm doing on the side. I can't be a full time splunk administrator. I mainly want to monitor my web & system logs for a handful of different webservers. Eventually, if I'm feeling spunky, I may even add some windows webservers and database servers to the mix. Right now, though, I'd really like to be able to index something useful.
Is there a quick tutorial that might shed some light on this relatively trivial task?
Thanks.
... View more