I am running a distributed Splunk environment. I have three indexers, an index master, a search head, and a universal forwarder deployment server. The universal forwarders load balance between the three indexers. I would like to ingest the logs like /var/log/secure/ and /var/log/messages that are on the indexers themselves so I can monitor logins and whatnot on those servers. Can I simply add the log files in question to $SPLUNK_HOME/etc/system/local/inputs.conf, on each indexer or is there a better way to attack indexing Linux logs on the indexers in the cluster?
... View more