Configuration Reference for Splunk Forwarder

To use the Splunk S2S Source connector, you must configure all of the following configuration properties on Splunk forwarders:

  1. sendCookedData
  2. useAck
  3. useSSL
  4. Configure SSL communication for forwarders
  5. Configure Forward Server on Forwarders
  6. compressed

sendCookedData

Determines whether to send parsed data (event with metadata information) to the receiving server or not. For the connector, this config should be configured to true.

  • Type: boolean
  • Default: true

useAck

Currently the Connector doesn’t support acknowledgements. For the Splunk S2S Source connector, this config should be configured to false.

  • Type: boolean
  • Default: false

useSSL

The Connector supports SSL. If user wants to enable SSL communication, this config should be configured to true.

  • Type: boolean
  • Default: false

Configure SSL communication for forwarders

  • To configure the forwarder to connect to the connector using SSL, use the following outputs.conf settings:

    [tcpout]
    defaultGroup=splunk_s2s_connector
    
    [tcpout:splunk_s2s_connector]
    server=<connector_ip>:<connector_port>
    useSSL=true
    sslRootCAPath= /opt/splunk/etc/auth/mycerts/myCACertificate.pem
    
  • To configure client authentication in SSL communication between the forwarder and the connector using outputs.conf, use the following outputs.conf settings:

    [tcpout]
    defaultGroup=splunk_s2s_connector
    
    [tcpout:splunk_s2s_connector]
    server=<connector_ip>:<connector_port>
    useSSL=true
    sslRootCAPath= /opt/splunk/etc/auth/mycerts/myCACertificate.pem
    clientCert = /opt/splunk/etc/auth/mycerts/myClientCert.pem
    sslPassword = myCertificatePassword
    

For more details, see Configure Splunk forwarding to use your own SSL certificates

compressed

The Splunk S2S Source connector supports compression. If you want to enable compression between forwarders and the connector, you should set compressed to true.

  • Type: boolean
  • Default: false

Configure Forward Server on Forwarders

  • To configure the forwarder to connect to the Connector using the Splunk CLI, run the following command:

    $SPLUNK_HOME/bin/splunk add forward-server <connector ip address>:<connector listening port>
    
  • To configure the forwarder to connect to the Connector using outputs.conf, use the following outputs.conf settings:

    [tcpout]
    defaultGroup=splunk_s2s_connector
    
    [tcpout:splunk_s2s_connector]
    server=<connector_ip>:<connector_port>
    useACK=false
    useSSL=false
    sendCookedData=true
    

For more details, see Configure forwarding with outputs.conf

Configure Inputs on Splunk Forwarder

File Monitor Input

You can configure monitoring file and directories using the CLI:

$SPLUNK_HOME/bin/splunk add monitor <path to file/directory>
  • The following example shows how to monitor files in the /var/log/ directory:

    $SPLUNK_HOME/bin/splunk add monitor /var/log/
    
  • The following example shows how to monitor the windowsupdate.log file where Windows logs automatic updates:

    $SPLUNK_HOME/bin/splunk add monitor c:\Windows\windowsupdate.log
    

For more details, see Configure File Monitoring Using CLI. To configure monitoring files and directories using inputs.conf, see Configure File Monitoring with inputs.conf.

Scripted Input

To configure scripts:

  1. Place the scripts in the $SPLUNK_HOME/bin/scripts directory.

  2. Configure scripted data input by editing the $SPLUNK_HOME/etc/system/local/inputs.conf file. Here is an example stanza:

    [script://$SPLUNK_HOME/bin/scripts/starter_script.sh]
    disabled = false
    host = some_host_value
    index = main
    interval = 30
    source = my_db
    sourcetype = my_db_data
    

    Note

    If the inputs.conf file doesn’t exist, create the file manually.

For more details regarding scripted input, see Configure Scripted Input.

Syslog Input

You can configure Syslog Input on Splunk universal forwarder by adding a network input to the forwarder(UF):

  • Using CLI:

    $SPLUNK_HOME/bin/splunk add udp|tcp <port> -sourcetype syslog
    
  • Using Configuration file inputs.conf. Here is an example stanza:

    [tcp://:<port>]
    connection_host = dns
    sourcetype = syslog
    

For more details regarding Syslog input, see Monitor Network Ports on Splunk forwarder.

Windows Event Log

Note

Windows Event Log Input is only available on forwarders that are installed on Windows machines.

To configure the Windows event log:

  • Edit the inputs.conf configuration file located at $SPLUNK_HOME\etc\system\local\inputs.conf by adding the following settings (you may need to create this file if it doesn’t exist):

    # Windows platform specific input processor.
    [WinEventLog://Application]
    disabled = 0
    [WinEventLog://Security]
    disabled = 0
    [WinEventLog://System]
    disabled = 0
    
  • To configure Windows event log input to render event data as XML, configure the renderXml setting in the inputs.conf file as shown in the following example:

    [WinEventLog://Security]
    disabled = 0
    renderXml = 1
    

For more details regarding windows event log input, refer to Monitor Windows Event Log.