What files to modify too add a Universal Forwader ...

jonsplunktriral · ‎12-30-2019

Hello Everyone,

I was using Splunk Enterprise and my license had expired but I still want to have additional inputs using Universal Forwarder.

I have looked at the several inputs.conf file and I cannot file where i would change the setting to add the new forwarder.

The only reference I can find to the Universal Forwarder is in the "\etc\deployment-apps" directory. I tried copying and renaming the directory to the hostname bit the splunkd file in the hostname still cannot connect.

Thanks.

gcusello · ‎12-30-2019

Hi @jonsplunktriral,
there are several limits using Splunk Free instead Splunk Enterprise (for more details see at https://www.splunk.com/en_us/software/features-comparison-chart.html ) but there are no limites to receive data from Universal Forwarders.
But I think that you have some confusion, because deployment-apps is a folder that contains apps to deploy to Universal Forwarders when your Splunk Server is playing the Deployment Server role.

What's your need? do you need to take logs from the same server where Splunk is installed or from another one where Universal Forwarder is installed?

In first Case, you can take logs in the input section of Settings.
In the second case, you have to create a Technical Add-On that contains the inputs.conf that you need and manually copy or deploy it using Deployment Server into the Universal Forwarder.
For more infos, I hint to read at https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Getstartedwithgettingdatain .

Ciao and Happy New Year.
Giuseppe

jonsplunktriral · ‎12-31-2019

Thanks for the reply Giuseppe.

When I was under the trial license, I was installing forwarders on remote hosts and I was able to add Windows Event Logs thru Settings > Data Inputs > Forwarded Inputs > New Remote Windows Logs. But doing this thru the menus appearsto be disabled with the Free License.

I was trying to look for the appropriate inputs.conf file that contained a list of the existing hosts that I am receiving data from the Universal Forwarders so I can modify it to add a new host to monitor but I cannot locate it.

I hope my reply clarifies my situation.

Happy New Year!

Jon

gcusello · ‎01-02-2020

Hi @jonsplunktriral,
the solution for your need is to create a Technical Add-On that contains the inputs.conf that you need and manually copy or deploy it using Deployment Server into the Universal Forwarder.
If you need to take Windows logs, I hint to use the Splunk TA Windows (that you can find at https://splunkbase.splunk.com/app/742/ ) where all the Windows data are ready to be taken.
The procedure is:

Open Windows TA in your pc,
open inputs.conf that you can find in default folder,
copy inputs.conf in local folder (if not exists create it),
choose the data you need and change disable=1 in disable=0,
copy it on you Universal Forwarder (in $SPLUNK_HOME\etc\apps),
restart Splunk on UF.

I think that you already configured your UF to send data to Indexer, otherwise, you have to do it.

The above procedure can also be done using you Splunk as a Deployment Server (Splunk says that you can have the Deployment Server role on the same server if you have less than 50 clients) following the documentation at https://docs.splunk.com/Documentation/Splunk/8.0.1/Updating/Aboutdeploymentserver ).

Ciao.
Giuseppe

What files to modify too add a Universal Forwader input in Splunk Free

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!