Getting Data In

New Install - Ubuntu

GLC2012
Explorer

Hello,

I'm trialling Splunk purely as a syslog server, and have installed it on a windows 2003 server, and can recieve syslog information from other windows servers, however I'm not recieving anything from my Ubuntu server. I've modified the syslog.conf file and included . @"splunkserver" at the top of the file and restarted service but I don't get anything in splunk. Can't work out why. Help please. Thanks

Tags (3)
1 Solution

rturk
Builder

What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:

Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:

[tcpout]
defaultGroup = splunkServer

[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997

Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

Good luck and happy Splunking 🙂

View solution in original post

GLC2012
Explorer

Thank you

I've got Syslog information appearing in Splunk now but still nothing in *nix but i'm not too fussed about that as I just wanted the syslog info. Thank you for your help! Much appreciated.

0 Karma

rturk
Builder

Glad I could help! If you could mark this question as answered that'd be tops!

0 Karma

rturk
Builder

What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:

Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:

[tcpout]
defaultGroup = splunkServer

[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997

Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux

Good luck and happy Splunking 🙂

GLC2012
Explorer

I see. I've basically followed the guide at the following link http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux finishing at step 7. But just issuing the command

/opt/splunkforwarder/bin/splunk add monitor /var/log/

(I must add I am a novice when it comes to Ubuntu)

I've also configured the receiver on the splunk web interface, but still not seeing anything come through, I must be doing something wrong though...as i'm not sure what you mean by enabling forwarding through Splunk server as I don't see that anywhere.

0 Karma

rturk
Builder

The Universal Forwarder is essentially a pared down version of Splunk capable of collecting and forwarding logs to a central Splunk instance. That being said it's not mandatory to use it, and for your purposes it may be better to use the full version while you configure the collection of log files.

If you have installed the *nix app, then you have probably seen the setup. Enabling the directory input for '/var/log/' will pick up the syslog log files. When you're in the *nix app, enable forwarding through to your Splunk server, and make sure you configure your Splunk server to receive this "cooked" data on port 9997 and you should start seeing your log files come through.

0 Karma

GLC2012
Explorer

Thanks for the reply,

I have tried installing the linux forwarder and the *nix app and gone through the configuration, again the ubuntu server did not show up on the *nix app, i've not tried a universal forwarder, is that different?

0 Karma

rturk
Builder

I'd hate to say it, but this sounds more like a syslog issue on your Ubuntu box, seeing that you can receive syslog from your other servers. Have you tried installing a Universal Forwarder on your Ubuntu server to forward your syslog (and other) messages/logs?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...