Getting Data In

How to setup universal forwarder on linux

bhavya_shah
Path Finder

Step by step setup for universal forwarder.

1 Solution

bhavya_shah
Path Finder

For the universal forwarder:

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

[monitor:///log1/log2/log3]
sourcetype = syslog
index = default
disabled = false
crcSalt =
ignoreOlderThan = 1d
host_segment = 4

If you are defining index = syslog instead of default for your input on your UF you need to have a index called syslog on your indexer. For that make sure to edit index.conf on indexer.

/opt/splunkforwarder/etc/system/local/outputs.conf

[tcpout]
defaultGroup=syslog_index
disabled = false

Forward the internal indexes as well as the non-internal ones
forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.

[tcpout:syslog_index]
server=splunkserver:9997

Definitely make sure that firewall is open to port 9997

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/limits.conf

maxKBps = 0

On the splunk indexer:

From the UI make sure to add the port:

Manager -> Forwarding and receiving -> Receive data

Add 9997.

Thats it.

View solution in original post

dhyanmohandas
Engager

Configure a Splunk Forwarder on Linux (Debian and ubundu)

Step 1: Download Splunk Universal Forwarder
http://www.splunk.com/download/universalforwarder
(.deb file and 64bit package if applicable)

Step 2: Install Forwarder
Command: sudo dpkg –i /path/filename.deb
sudo apt-get install –f
Agree the licence for splunk forwarder

Step 3: Enable boot-start/init script
Command: /opt/splunkforwarder/bin/splunk enable boot-start

Step 4: Configure Forwarder connection to Index Server
Command: /opt/splunkforwarder/bin/splunk add forward-server host.domain:9997
(Where host.domain is the fully qualified address or IP of the index and 9997 is the receiving port you create on the Indexer)

Step 5: Enter username and password
Default : Username: admin
Password: changeme

Step 6: Test Forwarder connection
Command: /opt/splunkforwarder/bin/splunk list forward-server
(Lists the active and inactive forwards of splunk forwarder)

Step 7: Add Data
Command: /opt/splunkforwarder/bin/splunk add monitor /path/ -index main -sourcetype name
(Where /path/ is the path to application logs on the host that you want to bring into Splunk, and the name you want to associate with that type of data)
This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/ splunkforwarder/default/

  Or edit

input.conf (/opt/splunkforwarder/etc/apps/ splunkforwarder/default/)
[monitor:///path/]

sourcetype = syslog
index = default
disabled = false
(Where /path/ is the path of the .log file on the host)
Output.conf (/opt/splunkforwarder/etc/system/local /)
[tcpout]
defaultGroup=syslog_index
disabled = false
[tcpout:syslog_index]
server=splunkserver:9997
[tcpout-server :// splunkserver:9997 ]

vnguyen46
Contributor

This is a great guidance. My follow up question is what stanza I need to add in inputs.conf to send any application logs along with the syslog to a Splunk HF?

Thanks,

0 Karma

bhavya_shah
Path Finder

For the universal forwarder:

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

[monitor:///log1/log2/log3]
sourcetype = syslog
index = default
disabled = false
crcSalt =
ignoreOlderThan = 1d
host_segment = 4

If you are defining index = syslog instead of default for your input on your UF you need to have a index called syslog on your indexer. For that make sure to edit index.conf on indexer.

/opt/splunkforwarder/etc/system/local/outputs.conf

[tcpout]
defaultGroup=syslog_index
disabled = false

Forward the internal indexes as well as the non-internal ones
forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.

[tcpout:syslog_index]
server=splunkserver:9997

Definitely make sure that firewall is open to port 9997

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/limits.conf

maxKBps = 0

On the splunk indexer:

From the UI make sure to add the port:

Manager -> Forwarding and receiving -> Receive data

Add 9997.

Thats it.

ChrisG
Splunk Employee
Splunk Employee

Have you looked at Deploy a *nix universal forwarder manually in the Distributed Deployment Manual?

attilatar
Explorer

I downvoted this post because link no longer available

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...