Splunk Universal Forwarder 設定

Splunk Universal Forwarder
Windows XP, 2003, Vista, Windows 7, 2008
2.6+ kernel Linux distributions (64-bit)



Windows :
> cd C:\Program Files\SplunkUniversalForwarder\bin
> splunk.exe restart

啟動的 log 檔
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log



Linux :
// 設定遠端 Splunk Server

# /opt/splunkforwarder/bin/splunk add forward-server 192.168.0.1:9997

// 設定監視資料夾

# vi /opt/splunkforwarder/etc/system/local/inputs.conf 

[monitor:////var/log/apache2]
whitelist = \.log

// 重新啟動 

# /opt/splunkforwarder/bin/splunk restart

// 查看啟動 log

# less /opt/splunkforwarder/var/log/splunk/splunkd.log

Reference :
就是資安 Simply Security: [工具介紹] 利用 Splunk 即時監測登入帳號
深入浅出了解如何监控Linux下的日志文件 | 游戏运维
Configuring Apache log data forwarding - Splunk Community