Now lets point our setup to index from “/var/log/”.
Select “Continuously index data from a file or directory this Splunk instance can access”.
Also under “Full path to your data” enter “/var/log/” without the quotes
See screen shot
Should everything have gone smoothly, you should now be presented with a “Success” window stating that your data is now being indexed by Splunk.
See screen shot
Congratulations, your Splunk setup is now complete. Provided you have clients already pointing to your Syslog server, you can now start to search for logs.
Searching for Data
In this setup, I have the client “rhel-client.example.com” pointing to my syslog server.
Lets say for example, I wanted to see the last thing that was installed on my client. I can search for the hostname and yum. This will present me with the latest information from that specific host and what packages were installed.
See screen shot
In the above example, you can see that Apache (httpd) and the surrounding dependencies have been installed on the host “rhel-client.example.com“. This is obviously a very simple example of a search, but you can play around and get a feel for how the search all fits together. If I had a server farm of 50 servers and wanted to see what was installed over the past 24 hours, I could also achieve this same search simply by changing the search criteria.
As we have pointed Splunk to index any file in /var/log/, all you need to ensure is that you have configured Syslog correctly in order to log the data you wish to receive. This could be anything from Linux logs from other servers, but could also include hardware devices like Cisco, HP, Dell, and all other forms of technology. If the client can transmit logs via Syslog, then Splunk will pick if up.