Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I use a universal forwarder to send log files in specific directory to ArcSight?

bgamblin
Explorer
‎08-07-2015 07:04 AM

I am already sending *.debug syslog data to an ArcSight connector in rsyslog.conf. Now they want to monitor some application logs in a specific directory. I have installed the universal forwarder, but not really sure how to setup inputs.conf and outputs.conf to send the log files. Any help is greatly appreciated.

0 Karma
Reply

khourihan_splun
Splunk Employee
Splunk Employee
‎08-07-2015 07:11 AM

Hey B,

You can use monitor input's in your inputs.conf file, or use the CLI. See example 5 here.

Regarding outputs.conf, you want to add something like this into $SPLUNK_HOME/system/local/outputs.conf:

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9997
autoLB = true

More info here.

Remember when editing .conf file, you need to restart the forwarder afterwards.

i.e. #splunk restart

Hope this helps,
Kyle

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...