Forums: SplunkPreview: How to monitor logs in other machine?

Hi folks:
I'd to monitor logs update in some log directories located in a machine other than Splunk server machine, and I don't wanna install Splunk server everywhere.
It seems add a File/Folder data input can only specify folders in local machine. If I know the root account, is it possible to let Splunk index the log directory in remote machine?

There are several ways you can achieve this.

1. setup a splunk forwarder. As you mentioned this is not desirable.
2. Setup a cron job on that machine to copy the log files to the splunk server ( not very effiicient and you don't get realtime data tracking).
3. Setup the machine to forward your logs via syslog listen on a UDP port.
4. Setup a TCP connection to the machine and netcat the logs across to it.

We don't have any stuff yet that goes out and obtains log files from remote machines. If we did something like this how to do you
think it should work, given a host password and path you scp the file back to splunk. That could start getting
really messy and once you move past 20 machines it becomes and utter nightmare to admin.

cheers,
rory

It would be nice to have a client that can be deployed to a group of macnines with a preset configuration. With out touching each machine.

If I had something like that working cross platform I wouldn't be working here, I would be retired in the Mediterranean :)

Pulling remote logs with the new windows client seems to be working fine.
use an SMB share.
inputs.conf:
[tail://\\server\share\file.log]

*NIX can work by using a SAMBA automount to the Window server's sharepath

Rory, Windows domain users will have the same admin password among all 20 machines. If splunk is running as the proper domain user then they can access any remote log thru CIFs

Yeah, I was referring to event logs.

In any case, I would highly recommend avoiding tailing files over SMB for many reasons, including performance and poor fd handling.

ClaimJumper: use deployment server to manage configuration, then just script the install to happen on each machine

It would be nice to have a client that can be deployed to a group of macnines with a preset configuration. With out touching each machine.

Doing this in a windows environment would be a trivial program you would think. Event logs are always located in the same directory, changes are very very small, exporting them either tailing or on a timed interval would be simple and require little bandwidth, even less bandwidth if you account for the repetitious method of most events in windows.
There are a number of inventory applications that do this already, which I have used that have a minimal impact on the network.
Of course it has been years since I did any kind of app programming. So I may just be making things up. But I do know that clientless inventory apps have found ways to do this. I have been slightly disappointed that there is nothing set up for splunk that does this yet.