0

We have tons of Linux machines which are all connected to Active Directory (AD). AD logs are being pulled in Splunk.

Is there a way to get the command history of all Linux machines in Splunk from AD logs (more like processes command line logs for Windows) without installing a Splunk forwarder in each one of them?

U880D
  • 1,017
  • 2
  • 12
  • 18
Vaibhav Nagariya
  • 1
  • 2
  • 1
    According [Choosing a Forwarder, or not](https://www.splunk.com/blog/2011/10/24/choosing-a-forwarder-or-not.html) and [Getting data in](http://dev.splunk.com/view/SP-CAAAE3A#Gettingdatain-Specifyingyourinputsource), a forwarder seems to be recommended. I don't know a practicable way of pulling logs from tons of Linux machines in Splunk. – U880D Jul 27 '18 at 07:50

1 Answers1

1

One solution would be to system syslog to a central syslog server, and running single Splunk Forwarder there. You could then bulk ingest logs, or only ingest logs for the systems you want. It also makes it a little easier to grow down the road as you can have any additional processes just syslog to the same server.

Ackack
  • 989
  • 5
  • 11