Getting Data In

How to use collectd on a remote host with Universal Forwarder?

eholz1
Contributor

Hello,

My goals is to send rrd file data to a splunk indexer.

I have a remote host that currently forwards linux_secure data to the indexer - works fie.

I am NEVER able to create an input for any port tcp or otherwise from this dialog window:

eholz1_0-1663970876641.png

When I configure a TCP forward-server using lthe UF the forward-server never goes active - I only get "cooked" data on the indexer. the host and source type are configured

If I configure a port (tcp or udp) from here: this comes from Data/Data inputs/TCP

eholz1_1-1663971021604.png

This setting comes from Settings/Data/Forwarding and receiving

I get data to the indexer. 

I may be missing something.

I installed collectd on a remote host, configured it for the csv plug in, and the cpu plugin -  this data is being collected and save to the /var/lib/collectd directory on the remote host.

How can I get this data to splunk and graph it?

I can see data coming in - but cannot do anything with it. The splunk web site says that the HEC inputs must be used to get metrics into splunk. How do I configure the remote host to do this? I.E. send the data from collectd to splunk,

I am open to suggestions and clarification

thanks

eholz1

 

Labels (2)
Tags (2)
0 Karma
1 Solution

chaker
Contributor

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

View solution in original post

chaker
Contributor

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

eholz1
Contributor

Forgot to ask,

I have collectd installed on the remote host, not the indexer. Should collectd be installed on the indexer and point to the remote host I want to monitor?

 

Thanks,

eholz1

 

0 Karma

eholz1
Contributor

Hello Chaker,

Thanks for responding to my question. I will review the links you placed in your respose.

This will help.

Thank you very much for taking the time to respond.

 

Eholz1

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...