Configuration Reference for Splunk Forwarder¶
To use the Splunk S2S Source connector, you must configure all of the following configuration properties on Splunk forwarders:
- sendCookedData
- useAck
- useSSL
- Configure SSL communication for forwarders
- Configure Forward Server on Forwarders
- compressed
sendCookedData¶
Determines whether to send parsed data (event with metadata information) to the
receiving server or not. For the connector, this config should be configured to
true
.
- Type: boolean
- Default: true
useAck¶
Currently the Connector doesn’t support acknowledgements. For the Splunk S2S
Source connector, this config should be configured to false
.
- Type: boolean
- Default: false
useSSL¶
The Connector supports SSL. If user wants to enable SSL communication, this
config should be configured to true
.
- Type: boolean
- Default: false
Configure SSL communication for forwarders¶
To configure the forwarder to connect to the connector using SSL, use the following
outputs.conf
settings:[tcpout] defaultGroup=splunk_s2s_connector [tcpout:splunk_s2s_connector] server=<connector_ip>:<connector_port> useSSL=true sslRootCAPath= /opt/splunk/etc/auth/mycerts/myCACertificate.pem
To configure client authentication in SSL communication between the forwarder and the connector using
outputs.conf
, use the followingoutputs.conf
settings:[tcpout] defaultGroup=splunk_s2s_connector [tcpout:splunk_s2s_connector] server=<connector_ip>:<connector_port> useSSL=true sslRootCAPath= /opt/splunk/etc/auth/mycerts/myCACertificate.pem clientCert = /opt/splunk/etc/auth/mycerts/myClientCert.pem sslPassword = myCertificatePassword
For more details, see Configure Splunk forwarding to use your own SSL certificates
compressed¶
The Splunk S2S Source connector supports compression. If you want to enable
compression between forwarders and the connector, you should set compressed
to true
.
- Type: boolean
- Default: false
Configure Forward Server on Forwarders¶
To configure the forwarder to connect to the Connector using the Splunk CLI, run the following command:
$SPLUNK_HOME/bin/splunk add forward-server <connector ip address>:<connector listening port>
To configure the forwarder to connect to the Connector using
outputs.conf
, use the followingoutputs.conf
settings:[tcpout] defaultGroup=splunk_s2s_connector [tcpout:splunk_s2s_connector] server=<connector_ip>:<connector_port> useACK=false useSSL=false sendCookedData=true
For more details, see Configure forwarding with outputs.conf
Configure Inputs on Splunk Forwarder¶
File Monitor Input¶
You can configure monitoring file and directories using the CLI:
$SPLUNK_HOME/bin/splunk add monitor <path to file/directory>
The following example shows how to monitor files in the
/var/log/
directory:$SPLUNK_HOME/bin/splunk add monitor /var/log/
The following example shows how to monitor the
windowsupdate.log
file where Windows logs automatic updates:$SPLUNK_HOME/bin/splunk add monitor c:\Windows\windowsupdate.log
For more details, see Configure File Monitoring Using CLI.
To configure monitoring files and directories using inputs.conf
, see
Configure File Monitoring with inputs.conf.
Scripted Input¶
To configure scripts:
Place the scripts in the
$SPLUNK_HOME/bin/scripts
directory.Configure scripted data input by editing the
$SPLUNK_HOME/etc/system/local/inputs.conf
file. Here is an example stanza:[script://$SPLUNK_HOME/bin/scripts/starter_script.sh] disabled = false host = some_host_value index = main interval = 30 source = my_db sourcetype = my_db_data
Note
If the
inputs.conf
file doesn’t exist, create the file manually.
For more details regarding scripted input, see Configure Scripted Input.
Syslog Input¶
You can configure Syslog Input on Splunk universal forwarder by adding a network input to the forwarder(UF):
Using CLI:
$SPLUNK_HOME/bin/splunk add udp|tcp <port> -sourcetype syslog
Using Configuration file
inputs.conf
. Here is an example stanza:[tcp://:<port>] connection_host = dns sourcetype = syslog
For more details regarding Syslog input, see Monitor Network Ports on Splunk forwarder.
Windows Event Log¶
Note
Windows Event Log Input is only available on forwarders that are installed on Windows machines.
To configure the Windows event log:
Edit the
inputs.conf
configuration file located at$SPLUNK_HOME\etc\system\local\inputs.conf
by adding the following settings (you may need to create this file if it doesn’t exist):# Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0
To configure Windows event log input to render event data as XML, configure the
renderXml
setting in theinputs.conf
file as shown in the following example:[WinEventLog://Security] disabled = 0 renderXml = 1
For more details regarding windows event log input, refer to Monitor Windows Event Log.