How can I get notifications.log from the Leader Node, and forward them to Splunk?

mtorres30 · September 2023

Hello, How can I get notifications.log from the Leader Node, and forward them to Splunk?

Quinn Stevenson · September 2023

Install a Splunk UF on the leader or install a Cribl Edge agent on the leader - one of those can forward the leader's logs on

mtorres30 · September 2023

So there is no way to forward it with the help of the Leader? There would be an option to send it from workers via Splunk HEC though. But trying to see if Cribl Leader is of any help in this matter

Jon Rust · September 2023

Edge is preferred, of course :slightly_smiling_face:

Jon Rust · September 2023

Leaders don't transport data

Jon Rust · September 2023

you can query the API

Jon Rust · September 2023

using REST Collector

Jon Rust · September 2023

Worker -> REST call to Leader -> send results

mtorres30 · September 2023

And if I have more than one Worker, would it result in duplicates?

Jon Rust · September 2023

no. REST Collections are coordinated by ... the leader

mtorres30 · September 2023

Okay. Thanks a lot!

Raanan Dagan · September 2023

One solution is to create a REST API Collector Collect URL = `http://leader:9000/api/v1/system/logs/notifications.log` And in the Authentication use the ' Login ' option to obtain the bearer token At that point you can forward the data to Splunk

How can I get notifications.log from the Leader Node, and forward them to Splunk?

Answers

Categories