All Apps and Add-ons

How do I configure a Splunk Forwarder on Linux?

MillerTime
Splunk Employee
Splunk Employee

What is a good procure to follow for installing a Splunk Universal Forwarder on a Linux host for the first time? A step by step process might help first time users get data into Splunk and understand some of the ways Splunk can be managed and configured.

1 Solution

MillerTime
Splunk Employee
Splunk Employee

Splunk Command Line Reference:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/AccessandusetheCLIonaremoteserver

Note: the CLI may ask you to authenticate – it’s asking for the LOCAL credentials, so if you haven’t changed the admin password on the forwarder, you should use admin/changeme



Steps for Installing/Configuring Linux forwarders:

Step 1: Download Splunk Universal Forwarder:

http://www.splunk.com/download/universalforwarder

(64bit package if applicable!)

Step 2: Install Forwarder

Step 3: Enable boot-start/init script:

/opt/splunkforwarder/bin/splunk enable boot-start

(start splunk: /opt/splunkforwarder/splunk start)

Step 4: Enable Receiving input on the Index Server

Configure the Splunk Index Server to receive data, either in the manager:

Manager -> sending and receiving -> configure receiving -> new

or via the CLI:

/opt/splunk/bin/splunk enable listen 9997

Where 9997 (default) is the receiving port for Splunk Forwarder connections

Step 5: Configure Forwarder connection to Index Server:

/opt/splunkforwarder/bin/splunk add forward-server hostname.domain:9997

(where hostname.domain is the fully qualified address or IP of the index server (like indexer.splunk.com), and 9997 is the receiving port you create on the Indexer:
Manager -> sending and receiving -> configure receiving -> new)

Step 6: Test Forwarder connection:

/opt/splunkforwarder/bin/splunk list forward-server

Step 7: Add Data:

/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%

Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data


This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/search/local/ -- here is some documentation on inputs.conf:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf


Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/

Step 8 (Optional): Install and Configure UNIX app on Indexer and *nix forwarders:

On the Splunk Server, go to Apps -> Manage Apps -> Find more Apps Online -> Search for ‘Splunk App for Unix and Linux’ -> Install the "Splunk App for Unix and Linux'

Restart Splunk if prompted, Open UNIX app -> Configure


Once you’ve configured the UNIX app on the server, you'll want to install the related Add-on: "Splunk Add-on for Unix and Linux" on the Universal Forwarder. Go to http://apps.splunk.com/ and find the "Splunk Add-on for Unix and Linux" (Note you want the ADD-ON, not the App - there is a difference!).
Copy the contents of the Add-On zip file to the Universal Forwarder, in: /opt/splunkforwarder/etc/apps/. If done correctly, you will have the directory "/opt/splunkforwarder/etc/apps/Splunk_TA_nix" and inside it will be a few directories along with a README & license files.

Restart the Splunk forwarder (/opt/splunkforwarder/bin/splunk restart)


Note: The data collected by the unix app is by default placed into a separate index called ‘os’ so it will not be searchable within splunk unless you either go through the UNIX app, or include the following in your search query: “index=os” or “index=os OR index=main” (don’t paste doublequotes)

Step 9 (Optional): Customize UNIX app configuration on forwarders:

Look at inputs.conf in /opt/splunkforwarder/etc/apps/unix/local/ and /opt/splunkforwarder/etc/apps/unix/default/

The ~default/inputs. path shows what the app can do, but everything is disabled. The ~local/inputs.conf shows what has been enabled – if you want to change polling intervals or disable certain scripts, make the changes in ~local/inputs.conf.

Step 10 (Optional): Configure File System Change Monitoring (for configuration files):

http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Monitorchangestoyourfilesystem

Note that Splunk also has a centralized configuration management server called Deployment Server. This can be used to define server classes and push out specific apps and configurations to those classes. So you may want to have your production servers class have the unix app configured to execute those scripts listed in ~local/inputs at the default values, but maybe your QA servers only need a few of the full stack, and at longer polling intervals. Using Deployment Server, you can configure these classes, configure the app once centrally, and push the appropriate app/configuration to the right systems.

View solution in original post

rajeshgajula
New Member

Step 7 add data is failing for me, i dont see its creating inputs.conf file under /etc/apps/search/local .. i dont have local directory in that path..
i am trying this on linux.. what am i doing wrong.. my splunk version is 4.3.4

In handler 'monitor': Parameter index: Index 'main' does not exist. Please provide a valid index.

0 Karma

rlorenzon
Explorer

I had the same issue and manually created the directory etc/apps/search/local and the inputs.con under it. In it I put:

[monitor:///var/log]
disabled = false

and it worked! This was after a day and a half struggling. Possibly was a permission issue but not sure. Thanks! Great article!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

The Distributed Deployment Manual has a lot of information about forwarding and receiving and includes instructions for installing and configuring the universal forwarder. Was there information you were looking for that you didn't find?

MillerTime
Splunk Employee
Splunk Employee

nope, just created this article (and answered it) so that there'd be some step-by-step info for other splunkers. thanks though!

0 Karma

kristian_kolb
Ultra Champion

to install and run as the user 'splunk', which is preferable to running as 'root':

log on and su to root.

rpm -i splunk_install_file.rpm
su splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license"
/opt/splunkforwarder/bin/splunk enable boot-start -user splunk
su splunk -c "/opt/splunkforwarder/bin/splunk edit user admin -password <your new password> -auth admin:changeme"

#optional if you want to use the Deployment Server feature of your splunk server.
su splunk -c "/opt/splunkforwarder/bin/splunk set deploy-poll <ip:port>"

/etc/init.d/splunk restart

Put all of that in a script, and you'll have a nice clean start.

/k

SarahSplunk123
Explorer

Try

splunk set deploy-poll Splunk_IP:Splunk_mgt_port
splunk restart
0 Karma

blebit
Path Finder

Active forwards:
None
Configured but inactive forwards

can you help on this?
fw is ok,
monitor /var/log/

thanks

0 Karma

mwisniewski9
Explorer

I would suggest checking your firewall settings and making sure you enabled the receiving port (default:9997) on your splunk forwarder

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...