I have a splunk server and ssh access to a server with read-only access to logs. I can ssh from the machine on which I have splunk server.
Is there a way with which I can fetch the logs and index them (and do further processing). It will be a hurdle to install splunk forwarder on the machine which has the logs (it's in production and hence under tight control)
I had the same dilemma with a remote server, and sshfs worked well.
I mounted the remote /var/log directory to a local server running splunkforwarder. Added into inputs.conf, restarted and boom: remote logs ingesting.
Here's the basic steps for SSHFS for debian based OS, as tested on Linux Mint 15
sudo apt-get install sshfs
sudo modprobe fuse
sudo adduser fuse
sudo chown root:fuse /dev/fuse
mkdir ~/remoteserv
sshfs -o allow_other username@ipaddress:/var/log ~/remoteserv
to unmount:
fusermount -u ~/remoteserv
[I'll leave auto-mounting in /etc/fstab as a google exercise.]
Add into etc/system/local/inputs.conf
[monitor:///pathto/remoteserv_dir/]
disabled = false
host = remoteserv_hostname
index = optional_index_name
sourcetype = syslog
And restart your Splunk forwarder.
Three possible approaches come to mind: