"This website is not affiliated with Splunk, Inc. and is not an authorized seller of Splunk products or services."
  • Home - Splunk Tutorial
  • Splunk training videos
  • Splunk interview questions
  • Contact US
  • About Us
  • Privacy Policy
  • Splunk Jobs

                                                                                                 <  Back |Home| Next  >

 Forward linux logs to splunk step by step :

 There are multiple ways to send linux logs to splunk like using splunk linux app, splunk universal forwarder or syslog. Best and performance reliable way is to install splunk universal forwarder on linux machines for which you wish to forward data.Splunk universal forwarder will act as agent for log collection.It will collect logs and will forward to indexer.We can  also use syslog for log collection and then install splunk forwarder on it and then forward data from syslog server to splunk indexer.Below we have provided steps for most reliable method to add linux logs to splunk

For syslog installation and configuration follow steps give at below link:

Refer below steps to add linux logs to splunk

Step 1. On Splunk server (receiver)
Download/install Splunk TA for Unix and Linux to the Splunk server (receiver) and enabled it by going to Manager|Apps|Enable

step 2. On host you want to collect data from (sender)
Download and install the Splunk Universal Forwarder to the Linux host using steps given at below link:

https://apps.splunk.com/app/833/

step 3. Open firewall port tcp 9997

iptables -I INPUT 4 -p tcp --dport 9997 -j ACCEPT

step 4. Copy the default inputs.conf file from $SPLUNK_HOME/splunkforwarder/etc/system/default to $SPLUNK_HOME/splunkforwarder/etc/system/local, check UID/GUIDs are splunk:splunk

step5. edit the inputs.conf file located in $SPLUNK_HOME/splunkforwarder/etc/system/local to get something basic set-up.

[default] host = mysender.local [monitor:///var/log/secure] disabled = false

step 6. Start the splunkforwarder
service start splunk
or 
/etc/init.d/splunk start

step 7. Tell Splunk that it now has a new sender
/opt/splunkforwarder/bin/splunk add forward-server mysender.local:9997

You should be getting data in Splunk now.

step 8. Now download and manually install Splunk Technology Add-on (TA) for Unix and Linux onto the host to collect data from (sender), it will end up here:
$SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix

step 9. Copy the default inputs.conf file from $SPLUNK_HOME/splunkforwarder/etc/Splunk_TA_nix/default/inputs.conf to $SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/local/

cp /opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/

step 10.  edit the inputs.conf file located in /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/ and enable items you wish to monitor by setting the "disabled" attribute to "false" and then restart splunkforwarder.

Below are few inputs.conf and outputs.conf sample configuration

Inputs.conf example:

[monitor:///var/log/secure]
 disabled = false
 sourcetype = linux_secure
 
 [monitor:///var/log/messages]
 disabled = false
 sourcetype = syslog

step 11. Enable receiving on the indexer on  port port 9997.On indexer go to setting>>forwarding and receiving >> enable receing

step 12: verify on the splunk if your data is indexed by searching for logss or hostname through splunk search Gui.

Hope this helps :)


reference:http://answers.splunk.com/answers/55777/splunk-technology-add-on-ta-for-unix-and-linux.html



                                                                                                      <  Back |Home| Next  >

Comment Box is loading comments...
Powered by Create your own unique website with customizable templates.