Hi
I am using ubuntu OS on AWS and i have five servers. I used full spunk installation on first server and universal forwarder installation on other servers. I enabled receiver port 9997 on first server using spulnk web (http://www.splunk.com/base/Documentation/latest/Deploy/Enableareceiver).How do i forward data to the first server using universal forwarder from rest of the servers? For eg: i want to monitor /var/log/ dirctory on all the servers from main splunk instance. Any simple config examples for input.conf and output.conf?
thanks in advance
Hello,
I have done the above two configurations on client servers. But couldn't see any changes on splunk web. Is there anything else i have to configure for proper working? How to check whether forwarding is working or not?
thanks
jobycxa,
These configurations are pretty straight forward.
## inputs.conf
###### OS Logs ######
[monitor:///var/log]
disabled = false
## outputs.conf
[tcpout]
disabled=false
defaultGroup=indexCluster
## For load balanced Splunk Forwarding
#[tcpout:indexCluster]
#server=1.1.1.1:9997,2.2.2.2:9997,3.3.3.3:9997
#autoLB = true
## For non load balanced lightweight Splunk Forwarding (disabled by default)
[tcpout:indexCluster]
server=1.1.1.1:9997
See also:
Monitoring Files & Directories