Getting Data In

Universal Forwarder for OSX installed - how is it configured ?

New Member

Hello All,

I have the OSX Universal Forwarder installed on a 10.5 machine and Splunk installed on a server successfully receiving events from two Windows machines.

How do I configure the OSX Forwarder to:

  • Nominate the log files I want monitored.
  • Set the IP address of the server that the Forwarder will send event data too.

I cannot find this specific information in the documentation.

Cheers

Tags (1)
0 Karma

Legend

You need to create the following files:

inputs.conf - to identify the files to be monitored

See http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf for help. You may also need props.conf, but it depends on your inputs. Here is an example that monitors a single syslog log file:

[monitor:///logs/mylogfile.log]
sourcetype=syslog
host=yourOSXhostname

outputs.conf - to tell Splunk where to forward the data. Example:

[tcpout:my_indexer]
server=10.10.10.1:9997

Note that you have to supply the server ip (or dns name) and the port number where Splunk is listening for forwarded data. See http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd for more info and options.

Put the files in "/Applications/splunkforwarder/etc/system/local" or your equivalent.

0 Karma