# Send Local Logs to Splunk

**Scenario:** you want to save gateway/relay logs to a Splunk Indexer. This guide presents a simple method to send all gateway/relay logs to a Splunk Indexer.

{% hint style="info" %}
As with all gateway/relay logs, the logs stored on the gateway/relay will not include Admin UI activities, which can be accessed via the `sdm audit activities` command.
{% endhint %}

### Setting up the export

1. Enable relay logging in the Admin UI under *Settings / Log Encryption & Storage*. Ensure logging is set to FILE.
2. Configure your indexer to receive the date from the forwarder:

   ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-7f45d1fb975ce7bab6c2f644d8963f2c4ade839e%2Flogs-splunk-1-configure1.png?alt=media) ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-da72d11156d1ee01dee25b3c457fc7551909e33b%2Flogs-splunk-2-configure2.png?alt=media) ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-47e2b3731e009749ce8ed68576a2e82bae9f6dba%2Flogs-splunk-3-configure3.png?alt=media)
3. Create an index for StrongDM, called "sdm\_index" in this example:

   ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-21533c53c88296f5b09d161fff0984189ce88a90%2Flogs-splunk-4-createindex1.png?alt=media) ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-6ae439422d9ca87e9656bc526223ef860d7a4cb0%2Flogs-splunk-5-createindex2.png?alt=media) ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-e84fa664a1df788ddb70f777c67e99c0f13ae689%2Flogs-splunk-6-createindex3.png?alt=media)
4. Install the forwarder, then configure the monitor.

   ```bash
   wget -O splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=universalforwarder&filename=splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm&wget=true'
   sudo rpm -ihv splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm
   export PATH=$PATH:/opt/splunkforwarder/bin
   splunk start
   ```

{% hint style="info" %}
You'll be asked to set the admin password on the first run of `splunk start`.
{% endhint %}

```bash
splunk list forward-server
Active forwards:
    ec2-34-210-43-66.us-west-2.compute.amazonaws.com:9997
Configured but inactive forwards:
    None

splunk add monitor /home/ec2-user/.sdm/logs/ -index sdm_index -sourcetype sdm

splunk list monitor
[...]
/home/ec2-user/.sdm/logs
        /home/ec2-user/.sdm/logs/relay.1616439304.0.log
        /home/ec2-user/.sdm/logs/relay.1616439311.0.log
        /home/ec2-user/.sdm/logs/relay.1616595755.0.log
        /home/ec2-user/.sdm/logs/relay.1616604787.0.log
        /home/ec2-user/.sdm/logs/relay.1616652500.0.log
[...]   
```

5\. You can search for "sdm\_index" on the indexer's search.