How to send log file by using Universal Forwarder

kevinsteeee · ‎04-19-2020

Hello,

The following process variable logs are created in my system.

Time | Target | Variable | Status
00:00:00 1 99 On-line
00:00:01 2 89 On-line
......

01:01:03 10 76 Off-line

I want to send all process variable logs to Splunk's SIEM by using Universal Forwarder. However, I don't know how to set-up its configuration to send log file. Could you please tell me how I can set-up it?

Thanks,
Kevin

tauliang · ‎04-19-2020

I assume you want to monitor the file and send its content to SIEM? You will need to create an inputs.confif it is not already created, and then put it into $SPLUNK_HOME/etc/system/local/

(1) Add UF server for the host
(2) Put full path of the file you want to monitor
(3) Define the sourcetype you want it to have an the index you want it to go to..

Last but not the least, make sure to restart Splunk UF after all these changes so they could take effect. Also needed is an outputs.conf and make sure it points to the indexer if you don't already have one.

More details can be found here:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitorfilesanddirectorieswithinputs.conf