I have installed Splunk_TA_nix add-on on my universal forwarder to send Linux logs, What is the difference between forwarding the logs through the add-on and forwarding logs through /etc/system/local/inputs.conf.?Will both does the same thing.?Will the Splunk_TA_nix add-on extract the fields from the linux logs (/var/log/messages,/var/log/maillog) which will be CIM compatible.?
Hi @sandeepduppalli,
there isn't any difference in inputs, the main difference is in management:
if you put all the inputs in dedicated TAs (e.g. TA_nix), you can distribute and update them using a Deployment Server, in other words, you have to modify apps in only one point.
If instead you put all the inputs in one big inputs.conf in $SPLUNK_HOME/etc/system/local, you cannot use Deployment Server and you have to manually deploy and update inputs.conf in all your servers.
So, if you have few servers (e.g. in a lab), you can do this manually, if you have many servers it isn't possible!
To better understand this way to deploy apps: it's a best practice to insert in a dedicated Technical-AddOn (called e.g. TA_Forwarder or TA_sendtoindexer) also the outputs.conf and deploymentclient.conf, that ofter are in $SPLUNK_HOME/etc/system/local, so you can manage them in a centralized way.
Ciao.
Giuseppe
Hi @gcusello
Thanks for that, one last thing, Does the Splunk_TA_nix add on extract the fields of the inputs provided to it which will be CIM compatible.? If this add-on doesn't do that Is there any other add-on which extract fields from my logs(eg: /var/log/*).
Hi @sandeepduppalli,
as you can see at https://splunkbase.splunk.com/app/833/ , this TA is compatible with CIM4.x.
Open it and see which inputs you have by default:
File and Directory Inputs:
/etc
/home/*/.bash_history
/Library/Logs
/root/.bash_history
/var/adm
/var/log
Scripted Inputs:
bandwidth.sh
cpu.sh
df.sh
hardware.sh
interfaces.sh
iostat.sh
lastlog.sh
lsof.sh
netstat.sh
nfsiostat.sh
openPorts.sh
openPortsEnhanced.sh
package.sh
passwd.sh
protocol.sh
ps.sh
rlog.sh
selinuxChecker.sh
service.sh
sshdChecker.sh
time.sh
top.sh
update.sh
uptime.sh
usersWithLoginPrivs.sh
version.sh
vmstat.sh
vsftpdChecker.sh
who.sh
Ciao.
Giuseppe