Hello,
I'm trialling Splunk purely as a syslog server, and have installed it on a windows 2003 server, and can recieve syslog information from other windows servers, however I'm not recieving anything from my Ubuntu server. I've modified the syslog.conf file and included . @"splunkserver" at the top of the file and restarted service but I don't get anything in splunk. Can't work out why. Help please. Thanks
What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:
Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:
[tcpout]
defaultGroup = splunkServer
[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997
Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd
There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux
Good luck and happy Splunking 🙂
Thank you
I've got Syslog information appearing in Splunk now but still nothing in *nix but i'm not too fussed about that as I just wanted the syslog info. Thank you for your help! Much appreciated.
Glad I could help! If you could mark this question as answered that'd be tops!
What you need to do on the Splunk Forwarder is tell it to where to send the data it collects. You can do this one of two ways:
Edit/create the outputs.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf) configuration. From your directory path above you'd put the following in /opt/splunkforwarder/etc/apps/local/ (create the local directory if it's not there already). Then create 'outputs.conf and put this in there:
[tcpout]
defaultGroup = splunkServer
[tcpout:splunkServer]
autoLB = true
server = <YOUR-SPLUNK-SERVER-IP>:9997
Make sure you've got receiving on your Splunk server set up on port 9997, and you should be good 🙂 More details may be found here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd
There's a really good run down of how to set up forwarding as well here: http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux
Good luck and happy Splunking 🙂
I see. I've basically followed the guide at the following link http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux finishing at step 7. But just issuing the command
/opt/splunkforwarder/bin/splunk add monitor /var/log/
(I must add I am a novice when it comes to Ubuntu)
I've also configured the receiver on the splunk web interface, but still not seeing anything come through, I must be doing something wrong though...as i'm not sure what you mean by enabling forwarding through Splunk server as I don't see that anywhere.
The Universal Forwarder is essentially a pared down version of Splunk capable of collecting and forwarding logs to a central Splunk instance. That being said it's not mandatory to use it, and for your purposes it may be better to use the full version while you configure the collection of log files.
If you have installed the *nix app, then you have probably seen the setup. Enabling the directory input for '/var/log/' will pick up the syslog log files. When you're in the *nix app, enable forwarding through to your Splunk server, and make sure you configure your Splunk server to receive this "cooked" data on port 9997 and you should start seeing your log files come through.
Thanks for the reply,
I have tried installing the linux forwarder and the *nix app and gone through the configuration, again the ubuntu server did not show up on the *nix app, i've not tried a universal forwarder, is that different?
I'd hate to say it, but this sounds more like a syslog issue on your Ubuntu box, seeing that you can receive syslog from your other servers. Have you tried installing a Universal Forwarder on your Ubuntu server to forward your syslog (and other) messages/logs?