Monitor logs using forwarders

To define which logs will be monitored and forwarded to the indexer, you need to edit the inputs.conf file in the $SPLUNK_HOME\etc\system\local directory. Here is how it can be done on Windows:

Open the inputs.conf file in a text editor:

inputs.conf example

Add the data inputs by specifying the stanzas. A stanza is a section of a configuration file that begins with a text string enclosed in brackets and contains one or more configuration parameters defined by key/value pairs. We will monitor the log file located at C:\logs\remote_access.log, classify them as the sourcetype of remote_access_logs, and store the data in the index called remotelogs:

inputs.conf monitor logs

After you add the inputs, restart the forwarder in order to apply the changes. We can search the logs on the indexer to make sure that the events have been received and indexed:

search remote logs

Geek University 2022