Solved: Re: How do you get all Splunk cluster servers inte...

evets · ‎12-03-2018

We have a requirement to forward all the log files from /var/log internal linux OS on the Splunk Enterprise cluster to a security app the same as all the other linux servers in the system, this includes the Search Heads, Indexers, Distribution and Master Node. Installing a universal forwarder is apparently not recommended.

What would be the best way to implement this?

harsmarvania57 · ‎12-03-2018

Hi @evets,

You can implement same monitoring stanza on Splunk Enterprise servers which you are running on UF to monitor all Linux servers, if you have dedicated app on UF to monitor /var/log/ then you can implement same app on Splunk Enterprise Server.

View solution in original post

evets · ‎12-03-2018

Thanks for your swift replies guys, I will see it it can be pushed out via the deployment server.

tom_frotscher · ‎12-03-2018

Hi,

why is it not recommended to use Universal Forwarders?

From my point of view you should use Universal Forwarders. Every instance which already have Splunk installed (SH, Indexers,...) can also act as a forwarder, just add the configuration in the outputs.conf.

Alternativly, you could use something like syslog, send all data to a syslog server and collect them from there with a Universal Forwarder.

Greetings

Tom

harsmarvania57 · ‎12-03-2018

Hi @evets,

You can implement same monitoring stanza on Splunk Enterprise servers which you are running on UF to monitor all Linux servers, if you have dedicated app on UF to monitor /var/log/ then you can implement same app on Splunk Enterprise Server.

How do you get all Splunk cluster servers internal Linux log files indexed?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases