Splunk Enterprise

Deployment-Server Linux Sererclass Monitoring Lastlog- Do I need to install on the indexer and on the deployment server?

Codyy_Fast
Engager

Hello all,

I am new to Splunk and need a little help.

I have the following configuration:

Splunk Indexer Server.
Splunk Deployment Server.

I have installed Universal Forwarder on my clients and specified Deployment Server in the installation.

After installation, the clients report correctly to the Deployment Server. I have created two server classes.
One for Windows and one for Linux.

Server class Linux:

App "fwd_to_receiver" = the Splunk indexer server is specified here.
App "Linmess" = inputs.conf (here is defined what should be monitored)

My question now:

I would like to monitor the /var/log/lastlog file.
But this does not work with inputs.conf.

I have now installed a Splunk Add-on for Unix and linux.
How can I set this up so that my deployment server distributes a central configuration where the "Lastlog" file is monitored correctly and also the source type fits. Do I need to install the add-on on the indexer and on the deployment server?

Many thanks in advance!

best regards
Codyy_Fast

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Codyy_Fast,

You need to install Splunk Add-on for Unix and linux on your indexers and clients.

For your clients you should enable lastlog input using below inputs.conf

$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/lastlog.sh]
index = your_index
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 0
If this reply helps you an upvote is appreciated.

Codyy_Fast
Engager

Hi, thanks for your Reply!

Everything worked, thank you!

I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.

 

Greetings!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...