inputs.conf
[default]
host = linux_fowarder_server
[monitor:///var/log/secure]
disabled = false
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = SPLUNKSERVERNAME:514
[tcpout-server://SPLUNKSERVERNAME:514]
deploymentclient.conf
[deployment-client]
clientName = LinuxForwarder
[target-broker:deploymentServer]
targetUri= SPLUNKSERVERNAME:8089
server.conf
[sslConfig]
sslKeysfilePassword = $1$INbYbpZpebsv
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[general]
pass4SymmKey = $1$d5qMMtMvMukv
serverName = _linux_fowarder_server_name
I've already enabled port 514 and 9997 in splunk server.
