All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where to add a file monitor input to monitor a Syslog log and where would it be best to define the input and associated index?

mshilston
Path Finder
‎02-01-2018 06:46 AM

Hi,

I have a best practice question around index creation.

I'm planning on having data come from both Windows Event Logs and Syslog sources.

The Splunk_TA_windows addon nicely compartmentalizes the index and input config files that are required in a folder.

If I then wanted to add a file monitor input to monitor a Syslog log, where would it be best to define the input and associated index? I know it will work if I put the required config files in etc/system/local but should I be looking to create an app folder or the like?

Many thanks,

M

0 Karma
Reply

mshilston
Path Finder
‎02-06-2018 12:10 AM

Quick update:

I've got a situation now where I've installed the Splunk_TA_windows app on my Search Head, Indexers and Forwarders. That is, each instance has the full Splunk_TA_windows folder located under /etc/apps/ and then I've copied an 'inputs.conf' and 'indexes.conf' into the /local/ folder under the App and edited the index location and enabled the inputs.

I have also created a Syslog app, named Splunk_TA_syslog and placed that in the /etc/apps/ folder.

I know have files in multiple places;
- /etc/apps/Splunk_TA_windows/local/indexes.conf (to define WIndows indexes)
- /etc/apps/Splunk_TA_windows/local/inputs.conf (to define Windows inputs)
- /etc/apps/Splunk_TA_syslog/local/indexes.conf (to define syslog Indexes)
- /etc/apps/Splunk_TA_syslog/local/inputs.conf (to define syslog inputs)

But also;
- /etc/system/local/outputs.conf (to define global outputs for instances)
- /etc/system/local/server.conf (to define global SSL settings)

I've been basically defining what I consider 'global' settings within the system/local folders and app based settings at the app folder level. Is that correct? It is best practice?

0 Karma
Reply

adonio
Ultra Champion
‎02-01-2018 12:44 PM

Hello there,

if you are using forwarders to send data to splunk, you can do the following:
create a small app, create inputs.conf file and place in that apps local folder, configure the inputs t monitor syslog data log path file.
make sure you have an index set up for the data and htat your new inputs.conf reflects the index.
place the app on your forwarder (or splunk instance) in /etc/app/ directory.
restart forwarder.

enjoy the new syslog data

hope it helps

Reply

mshilston
Path Finder
‎02-02-2018 03:15 AM

OK thanks, so it sounds like most inputs are best configured via an App folder - I know the highest weighted values are in the system/local folder, it's more my understanding of when and when not to use this location!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...