topic Re: How do I configure a Splunk Forwarder on Linux? in All Apps and Add-ons

How do I configure a Splunk Forwarder on Linux?

MillerTime — Fri, 08 Jun 2012 21:07:59 GMT

What is a good procure to follow for installing a Splunk Universal Forwarder on a Linux host for the first time? A step by step process might help first time users get data into Splunk and understand some of the ways Splunk can be managed and configured.

Re: How do I configure a Splunk Forwarder on Linux?

kristian_kolb — Fri, 08 Jun 2012 21:36:55 GMT

to install and run as the user 'splunk', which is preferable to running as 'root':

log on and su to root.

rpm -i splunk_install_file.rpm
su splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license"
/opt/splunkforwarder/bin/splunk enable boot-start -user splunk
su splunk -c "/opt/splunkforwarder/bin/splunk edit user admin -password <your new password> -auth admin:changeme"

#optional if you want to use the Deployment Server feature of your splunk server.
su splunk -c "/opt/splunkforwarder/bin/splunk set deploy-poll <ip:port>"

/etc/init.d/splunk restart

Put all of that in a script, and you'll have a nice clean start.

Re: How do I configure a Splunk Forwarder on Linux?

ChrisG — Fri, 08 Jun 2012 21:38:43 GMT

The Distributed Deployment Manual has a lot of information about forwarding and receiving and includes instructions for installing and configuring the universal forwarder. Was there information you were looking for that you didn't find?

Re: How do I configure a Splunk Forwarder on Linux?

MillerTime — Mon, 28 Sep 2020 11:55:10 GMT

Splunk Command Line Reference:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/AccessandusetheCLIonaremoteserver

Note: the CLI may ask you to authenticate – it’s asking for the LOCAL credentials, so if you haven’t changed the admin password on the forwarder, you should use admin/changeme

Steps for Installing/Configuring Linux forwarders:

Step 1: Download Splunk Universal Forwarder:

http://www.splunk.com/download/universalforwarder

(64bit package if applicable!)

Step 2: Install Forwarder

Step 3: Enable boot-start/init script:

/opt/splunkforwarder/bin/splunk enable boot-start

(start splunk: /opt/splunkforwarder/splunk start)

Step 4: Enable Receiving input on the Index Server

Configure the Splunk Index Server to receive data, either in the manager:

Manager -> sending and receiving -> configure receiving -> new

or via the CLI:

/opt/splunk/bin/splunk enable listen 9997

Where 9997 (default) is the receiving port for Splunk Forwarder connections

Step 5: Configure Forwarder connection to Index Server:

/opt/splunkforwarder/bin/splunk add forward-server hostname.domain:9997

(where hostname.domain is the fully qualified address or IP of the index server (like indexer.splunk.com), and 9997 is the receiving port you create on the Indexer:
Manager -> sending and receiving -> configure receiving -> new)

Step 6: Test Forwarder connection:

/opt/splunkforwarder/bin/splunk list forward-server

Step 7: Add Data:

/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%

Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data

This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/search/local/ -- here is some documentation on inputs.conf:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/

Step 8 (Optional): Install and Configure UNIX app on Indexer and *nix forwarders:

On the Splunk Server, go to Apps -> Manage Apps -> Find more Apps Online -> Search for ‘Splunk App for Unix and Linux’ -> Install the "Splunk App for Unix and Linux'

Restart Splunk if prompted, Open UNIX app -> Configure

Once you’ve configured the UNIX app on the server, you'll want to install the related Add-on: "Splunk Add-on for Unix and Linux" on the Universal Forwarder. Go to http://apps.splunk.com/ and find the "Splunk Add-on for Unix and Linux" (Note you want the ADD-ON, not the App - there is a difference!).
Copy the contents of the Add-On zip file to the Universal Forwarder, in: /opt/splunkforwarder/etc/apps/. If done correctly, you will have the directory "/opt/splunkforwarder/etc/apps/Splunk_TA_nix" and inside it will be a few directories along with a README & license files.

Restart the Splunk forwarder (/opt/splunkforwarder/bin/splunk restart)

Note: The data collected by the unix app is by default placed into a separate index called ‘os’ so it will not be searchable within splunk unless you either go through the UNIX app, or include the following in your search query: “index=os” or “index=os OR index=main” (don’t paste doublequotes)

Step 9 (Optional): Customize UNIX app configuration on forwarders:

Look at inputs.conf in /opt/splunkforwarder/etc/apps/unix/local/ and /opt/splunkforwarder/etc/apps/unix/default/

The ~default/inputs. path shows what the app can do, but everything is disabled. The ~local/inputs.conf shows what has been enabled – if you want to change polling intervals or disable certain scripts, make the changes in ~local/inputs.conf.

Step 10 (Optional): Configure File System Change Monitoring (for configuration files):

http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Monitorchangestoyourfilesystem

Note that Splunk also has a centralized configuration management server called Deployment Server. This can be used to define server classes and push out specific apps and configurations to those classes. So you may want to have your production servers class have the unix app configured to execute those scripts listed in ~local/inputs at the default values, but maybe your QA servers only need a few of the full stack, and at longer polling intervals. Using Deployment Server, you can configure these classes, configure the app once centrally, and push the appropriate app/configuration to the right systems.

Re: How do I configure a Splunk Forwarder on Linux?

rajeshgajula — Fri, 14 Sep 2012 22:42:07 GMT

Step 7 add data is failing for me, i dont see its creating inputs.conf file under /etc/apps/search/local .. i dont have local directory in that path..
i am trying this on linux.. what am i doing wrong.. my splunk version is 4.3.4

In handler 'monitor': Parameter index: Index 'main' does not exist. Please provide a valid index.

Re: How do I configure a Splunk Forwarder on Linux?

MillerTime — Fri, 21 Sep 2012 19:34:32 GMT

nope, just created this article (and answered it) so that there'd be some step-by-step info for other splunkers. thanks though!

Re: How do I configure a Splunk Forwarder on Linux?

MillerTime — Fri, 21 Sep 2012 19:36:27 GMT

If the command is giving you an error then it likely won't write to the inputs.conf file. Strange that the main index doesn't exist yet...try leaving off the '-index main' part. The main index is where new data goes by default anyways.

Re: How do I configure a Splunk Forwarder on Linux?

nashish — Mon, 18 Mar 2013 07:35:13 GMT

It's good Article

Re: How do I configure a Splunk Forwarder on Linux?

Thijxx — Mon, 28 Sep 2020 15:37:44 GMT

Still a great tutorial after 1.5 years!

@Anonymous 8: there are two almost identical unix apps.

After installation of a unix app, there is nu unix folder in /opt/splunk/etc/apps/
There are: splunk_app_for_nix and Splunk_TA_nix

You should copy the Splunk_TA_nix as described here: http://docs.splunk.com/Documentation/UnixApp/5.0.2TA/User/InstalltheSplunkAdd-onforUnixandLinux

Re: How do I configure a Splunk Forwarder on Linux?

windyita — Wed, 12 Feb 2014 09:17:06 GMT

I met with the same problem in step 7. after leaving off the '-index main' part, still no data is written in the config file. What's wrong? besides step 7 should be executed in which host?? thank you!

Re: How do I configure a Splunk Forwarder on Linux?

MillerTime — Mon, 28 Sep 2020 15:52:25 GMT

search $SPLUNK_HOME/etc/system/local/ and $SPLUNK_HOME/etc/apps (recursively) for "inputs.conf". If the command to add the input was successful there should be an associated inputs.conf with the specifications set by the command. If you're getting an error, what is the exact text?

Re: How do I configure a Splunk Forwarder on Linux?

justinsimonelis — Wed, 12 Feb 2014 13:31:01 GMT

correction to: "This will create a file: inputs.conf in /opt/splunk/etc/apps/search/local/ -- here is some documentation on inputs.conf:"

it's actually under /opt/splunkforwarder not /opt/splunk

Re: How do I configure a Splunk Forwarder on Linux?

MillerTime — Tue, 05 Aug 2014 23:10:31 GMT

fixed - thank you!

Re: How do I configure a Splunk Forwarder on Linux?

blebit — Fri, 07 Nov 2014 15:40:38 GMT

Active forwards:
None
Configured but inactive forwards

can you help on this?
fw is ok,
monitor /var/log/

thanks

Re: How do I configure a Splunk Forwarder on Linux?

mwisniewski9 — Mon, 09 Mar 2015 15:16:01 GMT

I would suggest checking your firewall settings and making sure you enabled the receiving port (default:9997) on your splunk forwarder

Re: How do I configure a Splunk Forwarder on Linux?

mnatalier — Fri, 20 Mar 2015 02:06:54 GMT

You need to ensure that the sysstat package is installed on the forwarder if you are running ubuntu. This add-on makes use of sar to provide data.

Re: How do I configure a Splunk Forwarder on Linux?

flakrat — Tue, 12 May 2015 02:15:38 GMT

The contents of this comment should replace: http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Useforwardingagentstogetdata

I spent hours trying to get the universal forwarder working on a linux box using that link, it only took a few minutes using MillerTime's instructions.

Re: How do I configure a Splunk Forwarder on Linux?

rlorenzon — Fri, 17 Jul 2015 17:22:53 GMT

I had the same issue and manually created the directory etc/apps/search/local and the inputs.con under it. In it I put:

[monitor:///var/log]
disabled = false

and it worked! This was after a day and a half struggling. Possibly was a permission issue but not sure. Thanks! Great article!

Re: How do I configure a Splunk Forwarder on Linux?

SarahSplunk123 — Wed, 02 Sep 2015 12:50:31 GMT

Try

splunk set deploy-poll Splunk_IP:Splunk_mgt_port
splunk restart

Re: How do I configure a Splunk Forwarder on Linux?

pelin_kurt_2 — Thu, 10 Sep 2015 05:36:12 GMT

It works!
Thank you very much for a great tutorial.