How can i configure input/output on universal forw...

jobycxa · ‎06-09-2011

Hi
I am using ubuntu OS on AWS and i have five servers. I used full spunk installation on first server and universal forwarder installation on other servers. I enabled receiver port 9997 on first server using spulnk web (http://www.splunk.com/base/Documentation/latest/Deploy/Enableareceiver).How do i forward data to the first server using universal forwarder from rest of the servers? For eg: i want to monitor /var/log/ dirctory on all the servers from main splunk instance. Any simple config examples for input.conf and output.conf?

thanks in advance

jobycxa · ‎06-09-2011

Hello,

I have done the above two configurations on client servers. But couldn't see any changes on splunk web. Is there anything else i have to configure for proper working? How to check whether forwarding is working or not?

thanks

hazekamp · ‎06-09-2011

jobycxa,

These configurations are pretty straight forward.

## inputs.conf
###### OS Logs ######
[monitor:///var/log]
disabled = false

## outputs.conf
[tcpout]
disabled=false
defaultGroup=indexCluster

## For load balanced Splunk Forwarding
#[tcpout:indexCluster]
#server=1.1.1.1:9997,2.2.2.2:9997,3.3.3.3:9997
#autoLB = true

## For non load balanced lightweight Splunk Forwarding (disabled by default)
[tcpout:indexCluster]
server=1.1.1.1:9997

See also:

Monitoring Files & Directories

Set Up Forwarding & Receiving

How can i configure input/output on universal forwarder