https://github.com/jmaas/splunk-ta-journald

Simple TA to enable on-boarding of journald events into Splunk.
https://github.com/jmaas/splunk-ta-journald

splunk splunk-addon splunk-enterprise

Last synced: 22 days ago
JSON representation

Simple TA to enable on-boarding of journald events into Splunk.

• Host: GitHub
• URL: https://github.com/jmaas/splunk-ta-journald
• Owner: jmaas
• License: bsd-2-clause
• Created: 2020-09-22T06:58:14.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2020-09-30T13:26:42.000Z (over 5 years ago)
• Last Synced: 2025-03-04T07:12:44.880Z (over 1 year ago)
• Topics: splunk, splunk-addon, splunk-enterprise
• Language: Shell
• Homepage:
• Size: 4.88 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Splunk TA journald

This TA is a very simple method to collect the Linux journald logs into Splunk. It was created to quickly onboard Linux events without reverting back to installing rsyslogd to read from the journal. If you need the journald logs from endpoints not running Splunk Universal Forwarder, this solution is not for you!

## Implementation details

- It's implemented using a simple bash script called from a scripted input.

- Events are pulled from journald every 30 seconds using journalctl.

- The events are retreived in JSON format and the provided input configuration handles this accordingly.

- The script maintains state so that you don't end up with duplicate events.

- On the first run it will only pull todays events from the journal.

## Deployment

The TA can be pushed to all Splunk components in your architecture:

- Universal Forwarders

- Indexers

- Search Heads

- Management instances (license master, deployer, cluster master, etc)