Files and directories - remote
The easiest way to get your logs from remote machines into Splunk is with the universal forwarder. You set up the forwarder on the machine generating the logs and then point the forwarder at the Splunk indexer. The forwarder monitors the logs and forwards the events to the indexer, which then indexes them and makes them available for searching.
There are two main steps:
1. Set up the forwarder on the remote machine and point it at the indexer. See this recipe: "Forwarders".
2. Set up the forwarder's inputs so that they monitor the logs. You set up the inputs on the forwarder the same as if they were on a Splunk indexer. However, the forwarder has no Splunk Web, so you must set up the inputs either with the CLI or by editing
For information on setting up inputs to monitor Unix logs, see "Monitor files and directories" in this manual. For additional information on how to set up forwarders, see "Use forwarders" in this manual.
Files and directories - local
Syslog - local
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14