The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: Parsing Active Directory Logs | Next Topic: How do I search a range of numbers?
Posts 1–8 of 8
Do I need to install Splunk on every server that I wish to monitor?
I am just trying to jump in and check this program out, but its not near as easy as some of the others I have checked out.
My thinking at first was that I could install splunk on one server and monitor any resource in my network.
It depends, what kind of servers do you have and what are you looking to monitor?
Say multiple Windows Domain Controllers... event logs?
I'll say that while it's not an absolute physical necessity, the best/easiest way that I can think of to monitor Windows Event Logs is to put a Splunk Forwarder on the server.
Otherwise, you have to have some other way to send the log data to the Splunk Indexer. If you are running Vista or Win2008, you could configure and use the Windows Remote Management system to forward and collect the logs into one place and then bring them into Splunk there. There are probably some other agents, but everything I know of is going to work similarly. (When logging, it's more effective for the one side to "push" events than to try to have the other "pull" events from a remote server.)
You don't need to install splunk on every server at all.
I just run a central splunk server, and then use WMI to pull in the event logs from the servers I'm interested in.
In order to set this up you need to a) Have Splunk running on a windows machine, b) Ensure that WMI is enabled in splunk, and c) Ensure that when you installed splunk you chose to let it run using a windows account that has access to log files you're interested in on the remote machines. (phew)
Then, modify the C:\Program Files\Splunk\etc\system\local\wmi.conf file on the splunk server to pull in the info you're after.
Here's a couple of example stanzas, the first pulls in windows event log data, the second some WMI performance counters. Note, you'll obviously need to change the servernames to your servernames :)
[WMI:Application and System Event Logs]
server=SERVER1,SERVER2,SERVER3
interval = 30
event_log_file = Application, System
disabled = 0
[WMI:FreeDiskSpaceOnServers]
server=SERVER1,SERVER2,SERVER3
interval=600
wql = select Name, FreeSpace, Size from Win32_LogicalDisk Where DriveType = 3
disabled=0
Hope that helps!
Ahh this is just the post I am looking for.
Ok so I have splunk running on a Linux server FC10 to be exact. Looks great except no wonderfull data to look at.
I want to have my IIS logs pushed over to Splunk
So what is this WMI I need to have running?
Windows Management Instrumentation?
Where do get it exactly?
Some links I have found
http://msdn.microsoft.com/en-us/library/aa394582.aspx
http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BAF2B35-C656-4969-ACE8-E4C0C0716ADB&displaylang=en
Does anyone have a link that works for this product.
Or do I need to run splunk on a windows server and then have all my servers push thier data over to the centralized Splunk windows server?
Thanks
Alternative solutions that I can think of, but not necessarily better.
Create some sort of share that is viewable by the Linux server. FTP a copy of the logs you want to index over to the Linux server.
If you're only interested in the IIS logs, you don't need WMI. You can, as suggested, copy the log files over to the indexer. You can also use the Splunk Forwarder to read the files and send the contents to the indexer. You may also be able to share the disk that the files are on (or write the files to a network drive) and mount the network drive on your Splunk server and read it from there.
Unless they've got some other system to centralize the IIS logs, then in practice most people find the Splunk Forwarder most convenient.