Getting Data In

How do I configure a UF on Linux to receive and forward windows events?

pfabrizi
Path Finder

I need to configure a Linux based UF to receive Windows events and then forwarder those to the indexers. I am guessing that there is a
inputs.conf and outputs.conf needing to be configured.

Just not sure how to configure these stanza's, mostly inputs.conf.

This would receive events from windows server in a webzone, so we only need to open the firewall for the UF.

Thanks!

0 Karma
1 Solution

FrankVl
Ultra Champion

And how exactly did you envision that windows server sending the logs to the Linux UF?

Unless you also put Splunk on the windows box (or use some sub-optimal solution with an agent like Snare) I don't really see how you are going to accomplish that.

Assuming you have Splunk on the windows box as well and the Linux UF just acts as an intermediate forwarder, it should be as simple as enabling a splunktcp input on the UF and setting the correct output config to send to your indexers.

What exactly are you not sure about?

View solution in original post

0 Karma

FrankVl
Ultra Champion

And how exactly did you envision that windows server sending the logs to the Linux UF?

Unless you also put Splunk on the windows box (or use some sub-optimal solution with an agent like Snare) I don't really see how you are going to accomplish that.

Assuming you have Splunk on the windows box as well and the Linux UF just acts as an intermediate forwarder, it should be as simple as enabling a splunktcp input on the UF and setting the correct output config to send to your indexers.

What exactly are you not sure about?

View solution in original post

0 Karma

pfabrizi
Path Finder

I am not sure on how to setup the tcp input, to accept events from 300 windows servers. Windows servers will be running windows SPLUNK UF.

should the input just look for the Windows UF port?

Which would be?

Thanks!

0 Karma

FrankVl
Ultra Champion

Technically you can use whatever port you want. Just as long as the outputs.conf on the windows UFs is using the same port as the splunktcp input (so not a normal TCP input) on your Linux UF intermediate forwarder. In general I guess 9997 is typically used for this.

See also the documentation on how to set up forwarding (basically this is no different from setting up forwarding from a forwarder to an indexer, just that you have one more splunk instance in between, that receives and then also sends it again).
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata
specifically: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Configureanintermediateforwarder

0 Karma

pfabrizi
Path Finder

Thank You!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.