Getting Data In

How to configure Splunk forwarder on Linux?

Path Finder

Hi Team,

If we perform the installation of a forwarder on a windows box we could get a menu of items to be monitored like Application Logs,Security Logs, System Logs, CPU Load, Memory, Disk Space and so on. Whichever fields we select, they get monitored. But when we do installation of forwarder on the Linux machine, how can we fine tune them? Moreover in windows boxes we have inputs.conf file which shows up the list of items being monitored, where can I check the same in Linux?

Thanks,
Sushma.

0 Karma

Engager

Hello,

Here are the steps to configure a Splunk forwarder installed on Linux to forward data to the Splunk indexer:

From the /opt/splunkforwarder/bin directory, run the sudo ./splunk enable boot-start command to enable Splunk auto-start:

Next, you need to configure the indexer that the forwarder will send its data to. This is done using the ./splunk add forward-server HOST:9997 -auth USERNAME:PASSWORD command, with admin and changeme as the default values for the username and password:

To add the data, you would like to consume and send to the indexer, run the sudo ./splunk add monitor LOG -sourcetype SOURCE_TYPE -index NAME. For example, to add the /var/log/syslog file with the sourcetype of linux_logs and store it to the index called remotelogs, we would use the following command:

Restart the forwarder to apply the changes (sudo./splunk restart). We can run a search to verify that events are indeed being sent:

You can learn indepth Splunk forwarder configuration steps using screenshots here

0 Karma

New Member

Under Oracle Solaris 11 I have 4 zones pushing data to a global zone + an external server and I am seeing both in machines log activity from the four zones fine.

0 Karma

Motivator

Was this intended to be a new question? I ask because it seems to have no relevance as an answer to the question posed above. If you DO have a question, I suggest you post it as such.

0 Karma

Motivator

If you install not the Universal Forwarder, but the full blown Splunk, then configure it as a forwarder you have a full GUI configuration with which to poke around through the local Web interface. You can then use the configuration files that you create in that installation of Splunk to use as templates - or at least to offer inspiration - in identical fashion in a Universal Forwarder installation. The primary differences between the two are that the UF does not give you the Web interface or the index creation facilties, and sits (by default) in /opt/splunkforwarder instead of /opt/splunk.

0 Karma

Legend

There is nothing like that in Linux. When you install a Linux forwarder, you must specify everything you want to monitor in inputs.conf manually. (And as you see, the Windows installation script simply writes an inputs.conf as well.)

As a starting point, you might want to install one or more of the technology add-on apps from apps.splunk.com
on your forwarder.

Path Finder

Yeah I have heard about the app I knew it, so without the app just installing the forwarder on the Linux, what all does it monitor? adding the cpu stats to be monitored in inputs.conf file, will that work?

0 Karma

Motivator

You cannot enable the web interface on the forwarder installation. It flatly does not have it. If you want to enable the web interface you have to install the full Splunk, as referenced in my answer below.

As for how you monitor the different operating stats, that is a question of Linux systems administration which is too broad a topic for here. There is an app - Splunk on Unix (I think) - which you can install which will provide the basic hooks for you, but really, unless you already know your way around basic Linux sysadmin you will find it largely useless.

0 Karma

Path Finder

For example if I want to monitor the CPU statistics, how will I do that? now in windows it's by default configured under inputs.conf file

0 Karma

Path Finder

Above is the installation procedure I followed for installing the forwarder on the linux. During this procedure where do i need to specify as what all needs to be monitored in inputs.conf file

0 Karma

Path Finder

rpm -ivh splunkforwarder_package_name.rpm

$splunkforwarder_HOME/bin/splunk start --accept-license

$splunkforwarder_HOME/bin/splunk enable boot-start

$splunkforwarder_HOME/bin/splunk add forward-server splunkserverip:9997

cp /opt/splunkforwarder/etc/system/default/web.conf /opt/splunkforwarder/etc/system/local/web.conf

vi /opt/splunkforwarder/etc/system/local/web.conf

enablesplunkWebSSL = true
supportSSLV3Only = true

$Service splunk restart

$splunkforwarder_HOME/bin/splunk list forward-server

0 Karma