Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Configure Splunk Universal Forwarder with TCP ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure Splunk Universal Forwarder with TCP input to send data with HTTP output to HEC filtering internal logs
Hello,
Due to a specific requirement we have to install a Splunk Universal Forwarder acting as "intermediate forwarder".
Basically it will receive data via TCP (to leverage persistent queue), and it has to forward them in output in HTTP.
Forwarding data in HTTP is possible since Splunk Universal Forwarder 8.x:
Here the set-up:
# inputs.conf
[tcp://9997]
persistentQueueSize=1000MB
connection_host=none
disabled=false# outputs.conf
#Example from Splunk
[httpout]
httpEventCollectorToken = eb514d08-d2bd-4e50-a10b-f71ed9922ea0
uri = https://10.222.22.122:8088
What we also want to achieve is to forward only data received via TCP, and to do not forward the Splunk UF internal logs. I didn't found a sort of _HTTP_ROUTING setting (like for example _TCP_ROUTING) to be put in inputs.conf
Therefore listing all the Splunk UF inputs with that command:
/opt/splunkforwarder/bin/splunk btool inputs list --debug
I was thinking about this configuration:
#props.conf
[source::/opt/splunkforwarder/...]
force_local_processing = true
TRANSFORMS-null = setnull
#transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Do you think it is going to work?
Maybe another option could be tag TCP inputs host based on DNS or IP, and then move to nullQueue all the logs produced by the Splunk UF:
#inputs
[tcp://9997]
persistentQueueSize=1000MB
connection_host=dns
disabled=false
#props.conf
[host::mysplunkUFhostname]
force_local_processing = true
TRANSFORMS-null = setnull
#transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Do you see any other possible configuration?
Thanks a lot,
Edoardo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why wouldn't you want the internal logs in the first place? They can be very helpful in troubleshooting (and are used in forwarder monitoring if I remember correctly). And they don't eat your license.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because this Splunk UF will receive specific data and have to forward only them out in HTTP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately old stile, less/tail etc...
Not the best way but currently the only solution as HTTP output does not allow to split the output, it is all or nothing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "split the output"? You can normally forward events received from another UF and have them indexed separarely from local internal logs. You can do local log ingestion as well. I have many such setups - for example when a customer has a site from which he doesn't have direct visibility to splunk infrastructure due to network segmentation and filtering issues. We use intermediate forwarders and everything runs smoothly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transforms don't work on universal forwarders. You'll need a heavy forwarder for that.
There's an easier answer, however. Just disable the monitoring of internal logs. Add these lines to /opt/splunkforwarder/etc/apps/nointernallogs/local/inputs.conf (you'll need to create the directories and file):
[monitor:///opt/splunk/etc/splunk.version]
disabled = true
[monitor:///opt/splunk/var/log/introspection]
disabled = true
[monitor:///opt/splunk/var/log/splunk]
disabled = true
[monitor:///opt/splunk/var/log/splunk/license_usage_summary.log]
disabled = true
[monitor:///opt/splunk/var/log/splunk/splunk_instrumentation_cloud.log*]
disabled = true
[monitor:///opt/splunk/var/log/watchdog/watchdog.log*]
disabled = trueThen restart the forwarder.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway :Thanks for your feedback, initially I though about this solution but wanted to have something "more robust" that does not depend from manual instruct which are the inputs to exclude.
By the way you are right, the transforms.conf does not apply on the UF, I'll try with your suggestion.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
