Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to setup universal forwarder on linux
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Step by step setup for universal forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the universal forwarder:
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor:///log1/log2/log3]
sourcetype = syslog
index = default
disabled = false
crcSalt =
ignoreOlderThan = 1d
host_segment = 4
If you are defining index = syslog instead of default for your input on your UF you need to have a index called syslog on your indexer. For that make sure to edit index.conf on indexer.
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup=syslog_index
disabled = false
Forward the internal indexes as well as the non-internal ones
forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:syslog_index]
server=splunkserver:9997
Definitely make sure that firewall is open to port 9997
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/limits.conf
maxKBps = 0
On the splunk indexer:
From the UI make sure to add the port:
Manager -> Forwarding and receiving -> Receive data
Add 9997.
Thats it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure a Splunk Forwarder on Linux (Debian and ubundu)
Step 1: Download Splunk Universal Forwarder
http://www.splunk.com/download/universalforwarder
(.deb file and 64bit package if applicable)
Step 2: Install Forwarder
Command: sudo dpkg –i /path/filename.deb
sudo apt-get install –f
Agree the licence for splunk forwarder
Step 3: Enable boot-start/init script
Command: /opt/splunkforwarder/bin/splunk enable boot-start
Step 4: Configure Forwarder connection to Index Server
Command: /opt/splunkforwarder/bin/splunk add forward-server host.domain:9997
(Where host.domain is the fully qualified address or IP of the index and 9997 is the receiving port you create on the Indexer)
Step 5: Enter username and password
Default : Username: admin
Password: changeme
Step 6: Test Forwarder connection
Command: /opt/splunkforwarder/bin/splunk list forward-server
(Lists the active and inactive forwards of splunk forwarder)
Step 7: Add Data
Command: /opt/splunkforwarder/bin/splunk add monitor /path/ -index main -sourcetype name
(Where /path/ is the path to application logs on the host that you want to bring into Splunk, and the name you want to associate with that type of data)
This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/ splunkforwarder/default/
Or edit
input.conf (/opt/splunkforwarder/etc/apps/ splunkforwarder/default/)
[monitor:///path/]
sourcetype = syslog
index = default
disabled = false
(Where /path/ is the path of the .log file on the host)
Output.conf (/opt/splunkforwarder/etc/system/local /)
[tcpout]
defaultGroup=syslog_index
disabled = false
[tcpout:syslog_index]
server=splunkserver:9997
[tcpout-server :// splunkserver:9997 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a great guidance. My follow up question is what stanza I need to add in inputs.conf to send any application logs along with the syslog to a Splunk HF?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the universal forwarder:
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor:///log1/log2/log3]
sourcetype = syslog
index = default
disabled = false
crcSalt =
ignoreOlderThan = 1d
host_segment = 4
If you are defining index = syslog instead of default for your input on your UF you need to have a index called syslog on your indexer. For that make sure to edit index.conf on indexer.
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup=syslog_index
disabled = false
Forward the internal indexes as well as the non-internal ones
forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:syslog_index]
server=splunkserver:9997
Definitely make sure that firewall is open to port 9997
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/limits.conf
maxKBps = 0
On the splunk indexer:
From the UI make sure to add the port:
Manager -> Forwarding and receiving -> Receive data
Add 9997.
Thats it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at Deploy a *nix universal forwarder manually in the Distributed Deployment Manual?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because link no longer available
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
