- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Step by step setup for universal forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the universal forwarder:
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor:///log1/log2/log3]
sourcetype = syslog
index = default
disabled = false
crcSalt =
ignoreOlderThan = 1d
host_segment = 4
If you are defining index = syslog instead of default for your input on your UF you need to have a index called syslog on your indexer. For that make sure to edit index.conf on indexer.
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup=syslog_index
disabled = false
Forward the internal indexes as well as the non-internal ones
forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:syslog_index]
server=splunkserver:9997
Definitely make sure that firewall is open to port 9997
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/limits.conf
maxKBps = 0
On the splunk indexer:
From the UI make sure to add the port:
Manager -> Forwarding and receiving -> Receive data
Add 9997.
Thats it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure a Splunk Forwarder on Linux (Debian and ubundu)
Step 1: Download Splunk Universal Forwarder
http://www.splunk.com/download/universalforwarder
(.deb file and 64bit package if applicable)
Step 2: Install Forwarder
Command: sudo dpkg –i /path/filename.deb
sudo apt-get install –f
Agree the licence for splunk forwarder
Step 3: Enable boot-start/init script
Command: /opt/splunkforwarder/bin/splunk enable boot-start
Step 4: Configure Forwarder connection to Index Server
Command: /opt/splunkforwarder/bin/splunk add forward-server host.domain:9997
(Where host.domain is the fully qualified address or IP of the index and 9997 is the receiving port you create on the Indexer)
Step 5: Enter username and password
Default : Username: admin
Password: changeme
Step 6: Test Forwarder connection
Command: /opt/splunkforwarder/bin/splunk list forward-server
(Lists the active and inactive forwards of splunk forwarder)
Step 7: Add Data
Command: /opt/splunkforwarder/bin/splunk add monitor /path/ -index main -sourcetype name
(Where /path/ is the path to application logs on the host that you want to bring into Splunk, and the name you want to associate with that type of data)
This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/ splunkforwarder/default/
Or edit
input.conf (/opt/splunkforwarder/etc/apps/ splunkforwarder/default/)
[monitor:///path/]
sourcetype = syslog
index = default
disabled = false
(Where /path/ is the path of the .log file on the host)
Output.conf (/opt/splunkforwarder/etc/system/local /)
[tcpout]
defaultGroup=syslog_index
disabled = false
[tcpout:syslog_index]
server=splunkserver:9997
[tcpout-server :// splunkserver:9997 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a great guidance. My follow up question is what stanza I need to add in inputs.conf to send any application logs along with the syslog to a Splunk HF?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the universal forwarder:
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor:///log1/log2/log3]
sourcetype = syslog
index = default
disabled = false
crcSalt =
ignoreOlderThan = 1d
host_segment = 4
If you are defining index = syslog instead of default for your input on your UF you need to have a index called syslog on your indexer. For that make sure to edit index.conf on indexer.
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup=syslog_index
disabled = false
Forward the internal indexes as well as the non-internal ones
forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:syslog_index]
server=splunkserver:9997
Definitely make sure that firewall is open to port 9997
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/limits.conf
maxKBps = 0
On the splunk indexer:
From the UI make sure to add the port:
Manager -> Forwarding and receiving -> Receive data
Add 9997.
Thats it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at Deploy a *nix universal forwarder manually in the Distributed Deployment Manual?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because link no longer available
