Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multiple outputs.conf and inputs.conf on the same forwarder

damucka
Builder
‎08-11-2020 05:25 AM

Hello,

I have the case that I am sharing the UFs with the Splunk SIEM solution, however I work for another project collecting the Unix / Database log details. I have no access to the SIEM and there is basically little chance to reuse the data from there for our purpose.

So, I would like to collect for example the /var/log/messages from the unix/vm machines and send it to my own indexer. I thought I would create a custom app, say called VARLOG, which would consist of the inputs.conf and outputs.conf and forward the var/log/messages to my Splunk. Now, the questions that come to my mind are:

- how does it work actually when there multiple inputs/outputs.conf in different apps on the forwarder?

- is it possible to have it that way at all? Would my inputs/outputs.conf be valid only for my VARLOG app as it is in the corresponding app folder on the fowarder? Or will the inputs/outputs files be joined by the forwarder based on the precedence rules and then I really need to be careful what goes where?

Shortly speaking, how would I take the //messages and forward it somewhere else in case it is already being collected by other app?

Kind Regards,

Kamil

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2020 05:40 AM
You need to be really careful about what goes where. Splunk apps are not fully independent entities. Instead, all inputs.conf files are merged to define the inputs for the UF. Likewise for outputs.conf.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-11-2020 07:18 AM

Hi

As you haven't any control for SIEM then it maybe better to install additional UF to that host? If you do that then you must use separate folder e.g. /opt/splunkforwarder_2 and also you must update startup files and/or those names something else than splunk / splunkd.service or otherwise there will be some challenges later on.

Another option as @richgalloway and you already said, is use separate inputs.conf and outputs.conf on that host. BUT that must agreed with SIEM group or otherwise you could be sure that time by time you will lost your logs. In this case btool is your friend. And you must agree proper change management with test with SIEM group!

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...