< Back |Home| Next >
How to add windows logs to splunk?
- In previous sections we have installed splunka nd splunk forawrder.Now we will se how to add windows local and remote logs to splunk . Usually we forward remote windows server/IIS logs to splunk.We can achive this via different ways.Most common way to add windows logs to splunk are as follows.We can collect and add windows logs to splunk database using one of the method as follows :
1. Most commonly used method is to install splunk universal forwarder on windows server.Splunk forwarder acts as an agent and collects data from local windows machine and forwards data to the indexer.
OR
2. Install syslog which will collect logs from all windows servers by using instructions given at below link and install splunk forwarder on syslog server,which will forward all logs collected by syslog to splunk indexer
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/configuring-syslog-agent-windows-server-2012.html
3. Add local and remote log files directly from searchhead,but its not recommended as if number of logs are large it will affect splunk performance.Its ok for test environment.
We can add logs to splunk by three methods.We can use any of them.Below we have provided instructions for all three methos:
1. Adding logs to splunk using splunk GUI OR
2.Add logs to splunk using inputs.conf OR
3.Add logs to splunk using splunk CLI
Below are instructions to add windows local and remote logs using GUI for all in one or seprate forwarder instance:
How to add local logs to splunk/forwarder:
We can add windows system/applicaton/security/IIS and scrited input using below method:
1. Login to splunk
2.Goto settings and click on Dta inputs under Data title
3. for adding local events click on add new/edit in front of column local event log collection if logs are available on local machine
4. Select the logs which you need to monitor and select index name to which you want to store the logs and click on save.After saving you can search local logs through splunk GUI for any errors
How to add remote windows server logs to splunk?
Use below instructions to add logs from remote windows server using below steps
1.Follow step 1 and 2 from previous section
2. Click on add data in front of respective columns depending upon the type of data you want to add by checking description i.e. if you want add remote server logs select remote server logs or if you want to add active directory monitoring select active directory monitoring etc.
3. Enter log collection name i.e. the name under which you want add logs and enter the ip address of serevr so taht splunk can search for logs on the server.Remember that splunk server should be connected in network with your splunk server/
4.Click on find logs
Use below instructions to add logs from remote windows server using below steps
1.Follow step 1 and 2 from previous section
2. Click on add data in front of respective columns depending upon the type of data you want to add by checking description i.e. if you want add remote server logs select remote server logs or if you want to add active directory monitoring select active directory monitoring etc.
3. Enter log collection name i.e. the name under which you want add logs and enter the ip address of serevr so taht splunk can search for logs on the server.Remember that splunk server should be connected in network with your splunk server/
4.Click on find logs
5. Select appropriate logs which you want to add to ass to splunk and click on next button
6. provide the index name and sourcetype in which you wish to save specified logs in input settings
7. Review added settings and click on submit
Tada......................your data is now successfully added to splunk using Gui
If you want to add more log files then using GUi will not be appropriate and will be time consuming.Other optional method for adding data to splunk is editing inputs.conf and outputs.conf on forwader as below.
Adding logfiles to splunk using inputs.conf is tentatively easy.
We need to just enter sourcetype name and location of file to monitor.We can add as many sourcetypes and log files in one inputs.conf or we can create seprate inputs.conf for each sourcetype.Below are few sample inputs.conf files
7. Review added settings and click on submit
Tada......................your data is now successfully added to splunk using Gui
- Adding data to splunk using inputs.conf
If you want to add more log files then using GUi will not be appropriate and will be time consuming.Other optional method for adding data to splunk is editing inputs.conf and outputs.conf on forwader as below.
Adding logfiles to splunk using inputs.conf is tentatively easy.
We need to just enter sourcetype name and location of file to monitor.We can add as many sourcetypes and log files in one inputs.conf or we can create seprate inputs.conf for each sourcetype.Below are few sample inputs.conf files
< Back |Home| Next >
Comment Box is loading comments...