Archive
Highlighted

splunk inputs.conf

New Member

Hi ,

I am pretty much new to splunk and i have splunk forwarder configured in one of my linux server .

Now i want to send the audit.log of that server to cplunk using splunk forwarder.

Which all files i need to modify?

splunkforwarder-5.0.2-149561 is the version

Tags (1)
0 Karma
Highlighted

Re: splunk inputs.conf

Motivator

Hello @sanaa,

I would highly recommend you to read

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Getstartedwithgettingdatain

and the following configuration files

Inputs.conf: https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Inputsconf &

Outputs.conf: https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Outputsconf

Step1: in inputs.conf under /opt/splunk/etc/system/local/

add a monitor stanza

[monitor:///path to the audit log file]
index = name of the index where you want it to send
sourcetype = audit

In outputs.conf

[tcpout]
defaultGroup = Name of your Indexer layer

[tcpout:Name of your Indexer layer]
autoLB = true
autoLBFrequency = 60 (seconds to switch to new indexer)
server = list your indexers and receiving port (eg: 1.2.3.4:9997,5.6.7.8:9997 etc)

Finally, restart splunkd service. I would highly recommend you to read the docs first.

Hope this helps!

Thanks,
Raghav

0 Karma
Highlighted

Re: splunk inputs.conf

New Member

Hi ,

i configured the inputs.conf and outputs.conf as described . But still cant see the events in dahsboard .

Can you please tell me is there a way i can trouble shoot or is there somewhere i have to open ports for netwrok communication as it runs on 9997

0 Karma
Highlighted

Re: splunk inputs.conf

Motivator

Correct, first thing you need is connectivity between source and destination. From source, do a quick telnet to destination on 9997
Telnet destination-ip 9997 if it's connected, check splunkd.log on both source and destination.

Location $SPLUNK_HOME/var/log/splunk/splunkd.log

Look for any errors in these logs.

Thanks,
Raghav

0 Karma