Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure the forwarder to monitor logs on a different machine that does not have Splunk installed?

friscos
Explorer
‎08-05-2016 08:43 AM

Hi,

I have installed Splunk Enterprise Server and forwarder on two different Windows machines.

I would like to configure my forwarder to monitor the logs on a Linux machine without installing the forwarder on that machine. Is that allowed in Splunk? Could you please direct me to the right documentation on this?

Ex:
Windows Machine A - Splunk Enterprise Server
Windows Machine B - Forwarder installed and mapped to Machine A
Linux Machine C - Actual Server that needs to be monitored in Splunk

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-05-2016 11:48 AM

The Splunk forwarder needs to be able to see the log files from the filesystem. So if you can mount the Linux filesystem so that it can be read from Windows Machine B, then it might work okay. The account that is running the forwarder on Windows Machine B may need elevated domain privileges to access the files from Linux Machine C. Performance might not be great, as you are reaching across the network to monitor files.

If that doesn't work, then you might be forced to follow the Splunk Best Practice: install a forwarder on Linux Machine C.
Also, the forwarder on any machine should run with the fewest privileges possible. On Linux Machine C, the forwarder could run as any user that has sufficient privileges to read the log files. root should not be used and no domain privileges will be needed by the forwarder on Linux Machine C.

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-05-2016 01:39 PM

A similar discussion at How to get remote linux log into splunk

It says -

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-05-2016 11:48 AM

The Splunk forwarder needs to be able to see the log files from the filesystem. So if you can mount the Linux filesystem so that it can be read from Windows Machine B, then it might work okay. The account that is running the forwarder on Windows Machine B may need elevated domain privileges to access the files from Linux Machine C. Performance might not be great, as you are reaching across the network to monitor files.

If that doesn't work, then you might be forced to follow the Splunk Best Practice: install a forwarder on Linux Machine C.
Also, the forwarder on any machine should run with the fewest privileges possible. On Linux Machine C, the forwarder could run as any user that has sufficient privileges to read the log files. root should not be used and no domain privileges will be needed by the forwarder on Linux Machine C.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...