Splunk Enterprise Security

How to send log file by using Universal Forwarder

kevinsteeee
Explorer

Hello,

The following process variable logs are created in my system.

Time | Target | Variable | Status
00:00:00 1 99 On-line
00:00:01 2 89 On-line
......

01:01:03 10 76 Off-line

I want to send all process variable logs to Splunk's SIEM by using Universal Forwarder. However, I don't know how to set-up its configuration to send log file. Could you please tell me how I can set-up it?

Thanks,
Kevin

0 Karma

tauliang
Communicator

I assume you want to monitor the file and send its content to SIEM? You will need to create an inputs.confif it is not already created, and then put it into $SPLUNK_HOME/etc/system/local/

(1) Add UF server for the host
(2) Put full path of the file you want to monitor
(3) Define the sourcetype you want it to have an the index you want it to go to..

Last but not the least, make sure to restart Splunk UF after all these changes so they could take effect. Also needed is an outputs.conf and make sure it points to the indexer if you don't already have one.

More details can be found here:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitorfilesanddirectorieswithinputs.conf

Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...