Splunk Universal Forwarder Configuration Properties

To use the Splunk S2S Source Connector, you must configure all of the following configuration properties on Splunk universal forwarders (UFs):

  1. sendCookedData
  2. useAck
  3. useSSL
  4. Configure Forward Server on Universal Forwarders

sendCookedData

Determines whether to send parsed data (event with metadata information) to the receiving server or not. For the connector, this config should be configured to true.

  • Type: boolean
  • Default: true

useAck

Currently the Connector doesn’t support acknowledgements. For the Splunk S2S Source Connector, this config should be configured to false.

  • Type: boolean
  • Default: false

useSSL

The Connector supports SSL. If user wants to enable SSL communication, this config should be configured to true.

  • Type: boolean
  • Default: false

Configure Forward Server on Universal Forwarders

  • To configure the universal forwarder (UF) to connect to the Connector using the Splunk CLI, run the following command:

    $SPLUNK_HOME/bin/splunk add forward-server <connector ip address>:<connector listening port>
    
  • To configure the UF to connect to the Connector using outputs.conf, use the following outputs.conf settings:

    [tcpout]
    defaultGroup=splunk_s2s_connector
    
    [tcpout:splunk_s2s_connector]
    server=<connector_ip>:<connector_port>
    useACK=false
    useSSL=false
    sendCookedData=true
    

For more details, see Configure forwarding with outputs.conf

Configure Inputs on Splunk universal forwarder

File Monitor Input

You can configure monitoring file and directories using the CLI:

$SPLUNK_HOME/bin/splunk add monitor <path to file/directory>
  • The following example shows how to monitor files in the /var/log/ directory:

    $SPLUNK_HOME/bin/splunk add monitor /var/log/
    
  • The following example shows how to monitor the windowsupdate.log file where Windows logs automatic updates:

    $SPLUNK_HOME/bin/splunk add monitor c:\Windows\windowsupdate.log
    

For more details, see Configure File Monitoring Using CLI. To configure monitoring files and directories using inputs.conf, see Configure File Monitoring with inputs.conf.

Scripted Input

To configure scripts:

  1. Place the scripts in the $SPLUNK_HOME/bin/scripts directory.

  2. Configure scripted data input by editing the $SPLUNK_HOME/etc/SplunkUniversalForwarder/local/inputs.conf file. Here is an example stanza:

    [script://$SPLUNK_HOME/bin/scripts/starter_script.sh]
    disabled = false
    host = some_host_value
    index = main
    interval = 30
    source = my_db
    sourcetype = my_db_data
    

    Note

    If the inputs.conf file doesn’t exist, create the file manually.

For more details regarding scripted input, see Configure Scripted Input.

Syslog Input

You can configure Syslog Input on Splunk UF by adding a network input to the forwarder -

  1. Using CLI:

    $SPLUNK_HOME/bin/splunk add udp|tcp <port> -sourcetype syslog
    
  2. Using Configuration file inputs.conf. Here is an example stanza:

    [tcp://:<port>]
    connection_host = dns
    sourcetype = syslog
    

For more details regarding Syslog input, see Monitor Network Ports on Splunk UF

Windows Event Log

Note

Windows Event Log Input is only available on forwarders that are installed on Windows machines.

To configure the Windows event log:

  1. Edit the inputs.conf configuration file located at $SPLUNK_HOME\etc\system\local\inputs.conf by adding the following settings (you may need to create this file if it doesn’t exist):

    # Windows platform specific input processor.
    [WinEventLog://Application]
    disabled = 0
    [WinEventLog://Security]
    disabled = 0
    [WinEventLog://System]
    disabled = 0
    
  • To configure Windows event log input to render event data as XML, configure the renderXml setting in the inputs.conf file as shown in the following example:

    [WinEventLog://Security]
    disabled = 0
    renderXml = 1
    

For more details regarding windows event log input, refer to Monitor Windows Event Log.