Getting Data In

How to use collectd on a remote host with Universal Forwarder?

eholz1
Contributor

Hello,

My goals is to send rrd file data to a splunk indexer.

I have a remote host that currently forwards linux_secure data to the indexer - works fie.

I am NEVER able to create an input for any port tcp or otherwise from this dialog window:

eholz1_0-1663970876641.png

When I configure a TCP forward-server using lthe UF the forward-server never goes active - I only get "cooked" data on the indexer. the host and source type are configured

If I configure a port (tcp or udp) from here: this comes from Data/Data inputs/TCP

eholz1_1-1663971021604.png

This setting comes from Settings/Data/Forwarding and receiving

I get data to the indexer. 

I may be missing something.

I installed collectd on a remote host, configured it for the csv plug in, and the cpu plugin -  this data is being collected and save to the /var/lib/collectd directory on the remote host.

How can I get this data to splunk and graph it?

I can see data coming in - but cannot do anything with it. The splunk web site says that the HEC inputs must be used to get metrics into splunk. How do I configure the remote host to do this? I.E. send the data from collectd to splunk,

I am open to suggestions and clarification

thanks

eholz1

 

Labels (2)
Tags (2)
0 Karma
1 Solution

chaker
Contributor

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

View solution in original post

chaker
Contributor

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

eholz1
Contributor

Forgot to ask,

I have collectd installed on the remote host, not the indexer. Should collectd be installed on the indexer and point to the remote host I want to monitor?

 

Thanks,

eholz1

 

0 Karma

eholz1
Contributor

Hello Chaker,

Thanks for responding to my question. I will review the links you placed in your respose.

This will help.

Thank you very much for taking the time to respond.

 

Eholz1

 

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...