https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-for-OSX-installed-how-is-it-configured/m-p/72596#M14810 <P>You need to create the following files:</P> <P><STRONG>inputs.conf</STRONG> - to identify the files to be monitored<BR /><BR /> See <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf">http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf</A> for help. You may also need props.conf, but it depends on your inputs. Here is an example that monitors a single syslog log file:</P> <PRE><CODE>[monitor:///logs/mylogfile.log] sourcetype=syslog host=yourOSXhostname </CODE></PRE> <P><STRONG>outputs.conf</STRONG> - to tell Splunk where to forward the data. Example:</P> <PRE><CODE>[tcpout:my_indexer] server=10.10.10.1:9997 </CODE></PRE> <P>Note that you have to supply the server ip (or dns name) and the port number where Splunk is listening for forwarded data. See <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd</A> for more info and options.</P> <P>Put the files in "/Applications/splunkforwarder/etc/system/local" or your equivalent.</P> Fri, 15 Jun 2012 19:17:05 GMT lguinn2 2012-06-15T19:17:05Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-for-OSX-installed-how-is-it-configured/m-p/72595#M14809 <P>Hello All,</P> <P>I have the OSX Universal Forwarder installed on a 10.5 machine and Splunk installed on a server successfully receiving events from two Windows machines.</P> <P>How do I configure the OSX Forwarder to:</P> <UL> <LI>Nominate the log files I want monitored.</LI> <LI>Set the IP address of the server that the Forwarder will send event data too.</LI> </UL> <P>I cannot find this specific information in the documentation.</P> <P>Cheers</P> Mon, 11 Jun 2012 22:54:46 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-for-OSX-installed-how-is-it-configured/m-p/72595#M14809 eyeLikeCarrots 2012-06-11T22:54:46Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-for-OSX-installed-how-is-it-configured/m-p/72596#M14810 <P>You need to create the following files:</P> <P><STRONG>inputs.conf</STRONG> - to identify the files to be monitored<BR /><BR /> See <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf">http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf</A> for help. You may also need props.conf, but it depends on your inputs. Here is an example that monitors a single syslog log file:</P> <PRE><CODE>[monitor:///logs/mylogfile.log] sourcetype=syslog host=yourOSXhostname </CODE></PRE> <P><STRONG>outputs.conf</STRONG> - to tell Splunk where to forward the data. Example:</P> <PRE><CODE>[tcpout:my_indexer] server=10.10.10.1:9997 </CODE></PRE> <P>Note that you have to supply the server ip (or dns name) and the port number where Splunk is listening for forwarded data. See <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd</A> for more info and options.</P> <P>Put the files in "/Applications/splunkforwarder/etc/system/local" or your equivalent.</P> Fri, 15 Jun 2012 19:17:05 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-for-OSX-installed-how-is-it-configured/m-p/72596#M14810 lguinn2 2012-06-15T19:17:05Z