Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I use a universal forwarder to send log files in specific directory to ArcSight?

bgamblin
Explorer
‎08-07-2015 07:04 AM

I am already sending *.debug syslog data to an ArcSight connector in rsyslog.conf. Now they want to monitor some application logs in a specific directory. I have installed the universal forwarder, but not really sure how to setup inputs.conf and outputs.conf to send the log files. Any help is greatly appreciated.

0 Karma
Reply

khourihan_splun
Splunk Employee
Splunk Employee
‎08-07-2015 07:11 AM

Hey B,

You can use monitor input's in your inputs.conf file, or use the CLI. See example 5 here.

Regarding outputs.conf, you want to add something like this into $SPLUNK_HOME/system/local/outputs.conf:

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9997
autoLB = true

More info here.

Remember when editing .conf file, you need to restart the forwarder afterwards.

i.e. #splunk restart

Hope this helps,
Kyle

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...