Getting Data In

How to configure the forwarder to monitor logs on a different machine that does not have Splunk installed?

friscos
Explorer

Hi,

I have installed Splunk Enterprise Server and forwarder on two different Windows machines.

I would like to configure my forwarder to monitor the logs on a Linux machine without installing the forwarder on that machine. Is that allowed in Splunk? Could you please direct me to the right documentation on this?

Ex:
Windows Machine A - Splunk Enterprise Server
Windows Machine B - Forwarder installed and mapped to Machine A
Linux Machine C - Actual Server that needs to be monitored in Splunk

Thanks

0 Karma
1 Solution

lguinn2
Legend

The Splunk forwarder needs to be able to see the log files from the filesystem. So if you can mount the Linux filesystem so that it can be read from Windows Machine B, then it might work okay. The account that is running the forwarder on Windows Machine B may need elevated domain privileges to access the files from Linux Machine C. Performance might not be great, as you are reaching across the network to monitor files.

If that doesn't work, then you might be forced to follow the Splunk Best Practice: install a forwarder on Linux Machine C.
Also, the forwarder on any machine should run with the fewest privileges possible. On Linux Machine C, the forwarder could run as any user that has sufficient privileges to read the log files. root should not be used and no domain privileges will be needed by the forwarder on Linux Machine C.

View solution in original post

ddrillic
Ultra Champion

A similar discussion at How to get remote linux log into splunk

It says -

alt text

0 Karma

lguinn2
Legend

The Splunk forwarder needs to be able to see the log files from the filesystem. So if you can mount the Linux filesystem so that it can be read from Windows Machine B, then it might work okay. The account that is running the forwarder on Windows Machine B may need elevated domain privileges to access the files from Linux Machine C. Performance might not be great, as you are reaching across the network to monitor files.

If that doesn't work, then you might be forced to follow the Splunk Best Practice: install a forwarder on Linux Machine C.
Also, the forwarder on any machine should run with the fewest privileges possible. On Linux Machine C, the forwarder could run as any user that has sufficient privileges to read the log files. root should not be used and no domain privileges will be needed by the forwarder on Linux Machine C.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...