Getting Data In

getting remote linux logs

rhuber
Explorer

i have splunk on a linux box and need to get log info off other linux boxes on my network. i've looked over the doc's and it is just not clear how to do this. if some one could give me a explicit example of how to set this i would greatly appreciate it. fwiw i am new to splunk and just installed it for the first time yesterday.

thanks, rj

rhuber
Explorer

Thanks for the responses.

I've set up regular forwarding on one remote server and light forwarding on a second. As far as I can tell the major difference between the two is lower throughput and no parsing. Am I missing any other differences?

0 Karma

mikelanghorst
Motivator

The lower throughput can be modified by changing adding an etc/system/local/limits.conf to override the default limiter if desired.

There are a few other subsystems that are disabled on a lwf, such as udp/tcp inputs.

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

A simple method -- though not nearly as powerful or flexible as using a Lightweight Forwarder -- is to send your logs via Syslog. You can configure Splunk to listen on a network port, likely UDP:514 for Syslog (default).

*NIX hosts can be configured to send logs to remote systems (using Syslog) in much the same way you configure them to log locally. This is typically done in syslog.conf or rsyslog.conf.

Here's a reference to some examples of rsyslog.conf: http://www.rsyslog.com/doc/rsyslog_conf_examples.html

Here's a reference to some examples of syslog.conf: http://linux.about.com/od/commands/l/blcmdl5_syslogc.htm

Check your /etc folder and see which one controls your system's logging. It should have examples inside the conf file.

Cheers,
Ron

dwaddle
SplunkTrust
SplunkTrust

There are many ways to accomplish this, but the "best" (from the standpoint of maximal features and minimal oddities) is to use Splunk Light Forwarders on the "other" boxes. A Light Forwarder is a Splunk installation that has the SplunkLightForwarder App enabled. (What I mean by this is there isn't a separate install [as of Splunk 4.1 anyway] for "just" the Forwarder. You install the same RPM/DEB on every machine, and what it does is based on how you configure it.)

You will configure your indexer to listen on a "splunktcp" input, and configure your forwarder apps on your other machines to forward data to it.

Documentation wise, you'll want to start at http://www.splunk.com/base/Documentation/latest/Admin/Aboutforwardingandreceiving. That (and subsequent pages in the same section) covers pretty well how you go about configuring forwarding.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...