I am pretty much new to splunk and i have splunk forwarder configured in one of my linux server .
Now i want to send the audit.log of that server to cplunk using splunk forwarder.
Which all files i need to modify?
splunkforwarder-5.0.2-149561 is the version
I would highly recommend you to read
and the following configuration files
Step1: in inputs.conf under /opt/splunk/etc/system/local/
add a monitor stanza
[monitor:///path to the audit log file] index = name of the index where you want it to send sourcetype = audit
[tcpout] defaultGroup = Name of your Indexer layer [tcpout:Name of your Indexer layer] autoLB = true autoLBFrequency = 60 (seconds to switch to new indexer) server = list your indexers and receiving port (eg: 18.104.22.168:9997,22.214.171.124:9997 etc)
Finally, restart splunkd service. I would highly recommend you to read the docs first.
Hope this helps!
i configured the inputs.conf and outputs.conf as described . But still cant see the events in dahsboard .
Can you please tell me is there a way i can trouble shoot or is there somewhere i have to open ports for netwrok communication as it runs on 9997
Correct, first thing you need is connectivity between source and destination. From source, do a quick telnet to destination on 9997
Telnet destination-ip 9997 if it's connected, check splunkd.log on both source and destination.
Look for any errors in these logs.