Splunk Enterprise Security

How to send log file by using Universal Forwarder

kevinsteeee
Explorer

Hello,

The following process variable logs are created in my system.

Time | Target | Variable | Status
00:00:00 1 99 On-line
00:00:01 2 89 On-line
......

01:01:03 10 76 Off-line

I want to send all process variable logs to Splunk's SIEM by using Universal Forwarder. However, I don't know how to set-up its configuration to send log file. Could you please tell me how I can set-up it?

Thanks,
Kevin

0 Karma

tauliang
Communicator

I assume you want to monitor the file and send its content to SIEM? You will need to create an inputs.confif it is not already created, and then put it into $SPLUNK_HOME/etc/system/local/

(1) Add UF server for the host
(2) Put full path of the file you want to monitor
(3) Define the sourcetype you want it to have an the index you want it to go to..

Last but not the least, make sure to restart Splunk UF after all these changes so they could take effect. Also needed is an outputs.conf and make sure it points to the indexer if you don't already have one.

More details can be found here:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitorfilesanddirectorieswithinputs.conf

Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...