Manually collect logs from a *nix host in ITE Work
You can manually set up a universal forwarder to collect logs from a *nix host. Manually configure log collection for a host when you meet at least one of these conditions:
- You're collecting data from a host on a closed network with no internet access.
- You already installed a universal forwarder on the host.
- You don't have trusted URLs you can download the required packages from.
If you also want to collect metrics data from a Linux host, see Manually collect metrics from a *nix host in ITE Work.
Prerequisites
Requirement | Description |
---|---|
*nix host | *nix integration operating system support |
Administrator role |
In Splunk Enterprise, you have to be a user with the In Splunk Cloud Platform, you have to be a user with the |
Steps
Follow these steps to install a universal forwarder on a host and configure log collection.
1. Install the universal forwarder
Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a *nix universal forwarder in the Splunk Universal Forwarder Forwarder Manual.
2. Configure inputs.conf on the universal forwarder
Configure the inputs.conf
on the universal forwarder file to monitor files and directories from your host in ITE Work.
- Create the
${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local
directory if it doesn't already exist. - Create
inputs.conf
if it doesn't already exist. - Open
inputs.conf
with a text editor. - Add these stanzas to configure the host and receiving port:
host = <monitoring_machine> tcp://<receiver_port>
Setting Description monitoring_machine
The hostname or IP address of the Splunk Enterprise instance you want to send log data to. receiver_port
The port that your Splunk platform deployment uses to receive data. - Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In guide.
- (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For example, this stanza monitors a syslog file at
/var/log/syslog
:For more information, see Configuration settings in the Splunk Enterprise Getting Data in guide and inputs.conf in the Splunk Enterprise Admin Manual.[monitor:///var/log/syslog] disabled = false sourcetype = syslog
- Save and close the
inputs.conf
file. - Restart splunkd. If you also need to configure
outputs.conf
in the next step, you can wait to restart splunkd until after you've configuredoutputs.conf
as well.$SPLUNK_HOME/bin/splunk restart
3. Configure outputs.conf on the universal forwarder
Configure outputs.conf
on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment.
- Go to the
${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local
directory. - Open
outputs.conf
with a text editor. - Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
- Save and close
outputs.conf
. - Restart splunkd.
$SPLUNK_HOME/bin/splunk restart
Example inputs.conf for a universal forwarder
[monitor:///var/log/syslog] disabled = false sourcetype = syslog [monitor:///var/log/daemon.log] disabled = false sourcetype = syslog [monitor:///var/log/auth.log] disabled = false sourcetype = syslog [monitor:///var/log/apache/access.log] disabled = false sourcetype = combined_access [monitor:///var/log/apache/error.log] disabled = false sourcetype = combined_access [monitor:///opt/splunkforwarder/var/log/splunk/*.log] disabled = false index = _internal [monitor:///etc/collectd/collectd.log] disabled = false index = _internal
Example outputs.conf for a universal forwarder
[tcpout] defaultGroup = splunk-app-infra-autolb-group [tcpout:splunk-app-infra-autolb-group] disabled = false server = <monitoring_machine>:<receiver_port>
Setting | Description |
---|---|
monitoring_machine
|
The hostname or IP address of the Splunk Enterprise instance you want to send log data to. |
receiver_port
|
The port that your Splunk platform deployment uses to receive data. |
Manually collect metrics from a *nix host in ITE Work | Troubleshoot the Unix and Linux entity integration in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1
Feedback submitted, thanks!