Thank you for your answer. I tried it. But , nothing changed on the Splunk Server side. Oct 11 16:47:17 SPLUNK-UF OneApp[2417]: [notice] 2022/10/11 16:47:17\x091665474437.6657\x09uid=user999\x09domain=local\x09level=notice\x09code=54201\x09message=OneApp Authentication succeeded.\x09host_ip=192.168.0.52\x09client_ip=192.168.0.5\x09client_ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36\x09client_cookie=\x09admin_id= I installed UF as follows: # export SPLUNK_HOME="/opt/splunkforwarder" # vi .bash_profile # mkdir $SPLUNK_HOME # tar xvzf splunkforwarder-9.0.1-82c987350fde-Linux-x86_64.tgz -C /opt # useradd -m splunk # passwd splunk # chown -R splunk:splunk $SPLUNK_HOME # $SPLUNK_HOME/bin/splunk start --accept-license # $SPLUNK_HOME/bin/splunk stop # $SPLUNK_HOME/bin/splunk disable boot-start # $SPLUNK_HOME/bin/splunk enable boot-start -systemd-managed 1 # $SPLUNK_HOME/bin/splunk start # $SPLUNK_HOME/bin/splunk add forward-server 192.168.0.51:9997 # $SPLUNK_HOME/bin/splunk add monitor /var/log/messages # $SPLUNK_HOME/bin/splunk restart Currently there are only three files in the "$SPLUNK_HOME/etc/system/local" folder: I don't know what to do. What additional settings are required? # ls $SPLUNK_HOME/etc/system/local README outputs.conf props.conf server.conf # # cat $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 192.168.0.51:9997 [tcpout-server://192.168.0.51:9997] # # cat $SPLUNK_HOME/etc/system/local/server.conf [general] serverName = SPLUNK-UF pass4SymmKey = *** [sslConfig] sslPassword = *** [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free # # cat $SPLUNK_HOME/etc/system/local/props.conf [mysourcetype] force_local_processing = true SEDCMD-notab = s/\x09/ /g #
... View more