I have the OSX Universal Forwarder installed on a 10.5 machine and Splunk installed on a server successfully receiving events from two Windows machines.
How do I configure the OSX Forwarder to:
I cannot find this specific information in the documentation.
You need to create the following files:
inputs.conf - to identify the files to be monitored
See http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf for help. You may also need props.conf, but it depends on your inputs. Here is an example that monitors a single syslog log file:
outputs.conf - to tell Splunk where to forward the data. Example:
Note that you have to supply the server ip (or dns name) and the port number where Splunk is listening for forwarded data. See http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd for more info and options.
Put the files in "/Applications/splunkforwarder/etc/system/local" or your equivalent.