Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to monitor a random directory?

Crashfry
Path Finder
‎09-10-2018 12:04 PM

With a clustered index environment, we have typically used the deployment server for the push mechanism to the universal forwards etc.

Now on random servers, we want to monitor for specific actions in directories not covered by a previous add-on for say, the linux add on. I want to monitor a random directory — what is the best way to accomplish this?

Is using the add-monitor command individually on the those servers the best way to handle this?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-10-2018 02:18 PM

You shouldn't be allowing anyone, including yourself, to use the CLI to touch your forwarders for that is the path to madness. It's also a potential security hole.

It's better to create a one-off app on the deployment server and push it to the few forwarders that need it. By doing that, you keep all of your configurations in one place (the DS) where they are easier to manage.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-10-2018 02:18 PM

You shouldn't be allowing anyone, including yourself, to use the CLI to touch your forwarders for that is the path to madness. It's also a potential security hole.

It's better to create a one-off app on the deployment server and push it to the few forwarders that need it. By doing that, you keep all of your configurations in one place (the DS) where they are easier to manage.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Crashfry
Path Finder
‎09-11-2018 05:26 AM

Thanks for the response, so your saying when dealing these types of items, the easiest way is having a server class for them, create the input needed to monitor " x " and push out to those for monitoring on that end. I see where that is easier for sure on that end, just a PITA for situations where it's a single log file you want to collect from one or two servers. But i see where your going with it, one and two servers turns into multiple servers down the line..

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-12-2018 04:25 AM

Yes, that's what I'm saying. When those one or two servers start behaving oddly, you'll appreciate having all of the configs on the DS and not having to sign in to each one to review their .conf files for errors.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Crashfry
Path Finder
‎09-12-2018 05:31 AM

I appreciate the thoughts and help - have already made the changes and agree this will be a lot easier to manage. So thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...