I have a Linux server and a Windows server. My Windows server is the receiver and my Linux server is a forwarder. There is a specific log file that contains the logs I want to forward to Windows server. How do I do that?
The most important thing I would like to do is monitor that log file for any logs that get written to it. I do not want to keep uploading and forwarding that file as it grows to my Windows server. So any log that gets generated, I want to forward that to the Windows server rather than the whole file.
Any help is greatly appreciated. Thanks.
I added [monitor:///var/log/logmessages] to the inputs.conf file. logmessages is the file where my logs are written to. Will this work?
Looks like you are looking for basic Splunk forwarding and receiving functionality. I suggest you start with the following from the docs:
http://www.splunk.com/base/Documentation/latest/Admin/Enableforwardingandreceiving
BTW, splunk forwards the whole file the first time a new file is found (or when it's first setup as a monitor
input), then after that only newly added log events are forwarded. Splunk doesn't keep re-copying the same file over and over again; if that's what you are asking about.