I see in the documentation that, when activating a forwarder on the CLI, you pass "-server server:port -auth user:pass". How would I do this in a configuration file? I'm guessing server.conf in $SPLUNK_HOME/etc/apps/SplunkForwarder/local/server.conf but I'm not sure.
Thanks!
Using the configuration file it will be in $SPLUNK_HOME/etc/system/local/outputs.conf
or
$SPLUNK_HOME/etc/apps/<myapp>/local/outputs.conf
, like:
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9996
See the documentation at:
http://docs.splunk.com/Documentation/Splunk/4.3.2/Deploy/Configureforwarderswithoutputs.confd
Ok, so puppet is different.
I would recommend to build a recipe to:
1- push or edit your configuration (outputs.conf)
2- restart the splunk forwarders to apply.
Another solution is to manage the configuration using the API, but it require auth too, like the CLI
Hmm, I misunderstood earlier. I want to make sure that the forwarder is not only enabled but also started:
splunk add forward-server
Is there a place to do this in the config files? I'm trying to control Splunk with Puppet and having the user:pass in a manifest is not ideal.
the -auth option on the CLI command line is used to avoid typing the admin/user password every time. (useful if you script the CLI configuration)
./splunk add monitor "/var/log/" -auth admin:changeme
When editing the config file you don't need it.
Thanks for the reply! What about the -auth part, though?