Solved: How do I ingest Linux logs on my indexers?

jrabidoux · ‎03-06-2017

I am running a distributed Splunk environment. I have three indexers, an index master, a search head, and a universal forwarder deployment server. The universal forwarders load balance between the three indexers. I would like to ingest the logs like /var/log/secure/ and /var/log/messages that are on the indexers themselves so I can monitor logins and whatnot on those servers. Can I simply add the log files in question to $SPLUNK_HOME/etc/system/local/inputs.conf, on each indexer or is there a better way to attack indexing Linux logs on the indexers in the cluster?

somesoni2 · ‎03-06-2017

You should configure the monitoring configuration, inputs.conf, to a app and deploy that app through the cluster master. See this for more information on distribution of app to indexer cluster peers from cluster master:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Updatepeerconfigurations

View solution in original post

somesoni2 · ‎03-06-2017

You should configure the monitoring configuration, inputs.conf, to a app and deploy that app through the cluster master. See this for more information on distribution of app to indexer cluster peers from cluster master:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Updatepeerconfigurations

jrabidoux · ‎03-07-2017

Perfect! Exactly what I was looking for. Worked like a charm!

Many Thanks!

How do I ingest Linux logs on my indexers?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...