Getting Data In

How to use collectd on a remote host with Universal Forwarder?

eholz1
Communicator

Hello,

My goals is to send rrd file data to a splunk indexer.

I have a remote host that currently forwards linux_secure data to the indexer - works fie.

I am NEVER able to create an input for any port tcp or otherwise from this dialog window:

eholz1_0-1663970876641.png

When I configure a TCP forward-server using lthe UF the forward-server never goes active - I only get "cooked" data on the indexer. the host and source type are configured

If I configure a port (tcp or udp) from here: this comes from Data/Data inputs/TCP

eholz1_1-1663971021604.png

This setting comes from Settings/Data/Forwarding and receiving

I get data to the indexer. 

I may be missing something.

I installed collectd on a remote host, configured it for the csv plug in, and the cpu plugin -  this data is being collected and save to the /var/lib/collectd directory on the remote host.

How can I get this data to splunk and graph it?

I can see data coming in - but cannot do anything with it. The splunk web site says that the HEC inputs must be used to get metrics into splunk. How do I configure the remote host to do this? I.E. send the data from collectd to splunk,

I am open to suggestions and clarification

thanks

eholz1

 

Labels (2)
Tags (2)
0 Karma
1 Solution

chaker
Contributor

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

View solution in original post

chaker
Contributor

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

eholz1
Communicator

Forgot to ask,

I have collectd installed on the remote host, not the indexer. Should collectd be installed on the indexer and point to the remote host I want to monitor?

 

Thanks,

eholz1

 

0 Karma

eholz1
Communicator

Hello Chaker,

Thanks for responding to my question. I will review the links you placed in your respose.

This will help.

Thank you very much for taking the time to respond.

 

Eholz1

 

 

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...