If we perform the installation of a forwarder on a windows box we could get a menu of items to be monitored like Application Logs,Security Logs, System Logs, CPU Load, Memory, Disk Space and so on. Whichever fields we select, they get monitored. But when we do installation of forwarder on the Linux machine, how can we fine tune them? Moreover in windows boxes we have inputs.conf file which shows up the list of items being monitored, where can I check the same in Linux?
Here are the steps to configure a Splunk forwarder installed on Linux to forward data to the Splunk indexer:
From the /opt/splunkforwarder/bin directory, run the sudo ./splunk enable boot-start command to enable Splunk auto-start:
Next, you need to configure the indexer that the forwarder will send its data to. This is done using the ./splunk add forward-server HOST:9997 -auth USERNAME:PASSWORD command, with admin and changeme as the default values for the username and password:
To add the data, you would like to consume and send to the indexer, run the sudo ./splunk add monitor LOG -sourcetype SOURCE_TYPE -index NAME. For example, to add the /var/log/syslog file with the sourcetype of linux_logs and store it to the index called remotelogs, we would use the following command:
Restart the forwarder to apply the changes (sudo./splunk restart). We can run a search to verify that events are indeed being sent:
You can learn indepth Splunk forwarder configuration steps using screenshots here
If you install not the Universal Forwarder, but the full blown Splunk, then configure it as a forwarder you have a full GUI configuration with which to poke around through the local Web interface. You can then use the configuration files that you create in that installation of Splunk to use as templates - or at least to offer inspiration - in identical fashion in a Universal Forwarder installation. The primary differences between the two are that the UF does not give you the Web interface or the index creation facilties, and sits (by default) in
/opt/splunkforwarder instead of
There is nothing like that in Linux. When you install a Linux forwarder, you must specify everything you want to monitor in
inputs.conf manually. (And as you see, the Windows installation script simply writes an
inputs.conf as well.)
As a starting point, you might want to install one or more of the technology add-on apps from apps.splunk.com
on your forwarder.
Yeah I have heard about the app I knew it, so without the app just installing the forwarder on the Linux, what all does it monitor? adding the cpu stats to be monitored in inputs.conf file, will that work?
You cannot enable the web interface on the forwarder installation. It flatly does not have it. If you want to enable the web interface you have to install the full Splunk, as referenced in my answer below.
As for how you monitor the different operating stats, that is a question of Linux systems administration which is too broad a topic for here. There is an app - Splunk on Unix (I think) - which you can install which will provide the basic hooks for you, but really, unless you already know your way around basic Linux sysadmin you will find it largely useless.
Above is the installation procedure I followed for installing the forwarder on the linux. During this procedure where do i need to specify as what all needs to be monitored in inputs.conf file
enablesplunkWebSSL = true
supportSSLV3Only = true