By default, in most Linux distros, OpenVPN log output goes to the syslog, which is usually at /var/log/syslog. However, your config files can set the logfile location explicitly, as shown below:
sudo vi /etc/openvpn/server.conf
- Change or add:
log-append /var/log/openvpn.log - Restart to use the new config:
sudo service openvpn restart - Add to Splunk forwarder:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/openvpn.log -index main -sourcetype OpenVPN
Splunk (manual):
sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///var/log/openvpn.log]
disabled = false
index = main
sourcetype = OpenVPN
REFERENCES: