Splunk Forwarder Configuration Properties

To use the Splunk S2S Source connector, you must configure all of the following configuration properties on Splunk forwarders:

  1. sendCookedData
  2. useAck
  3. useSSL
  4. Configure SSL communication for forwarders
  5. Configure Forward Server on Forwarders
  6. compressed

sendCookedData

Determines whether to send parsed data (event with metadata information) to the receiving server or not. For the connector, this config should be configured to true.

  • Type: boolean
  • Default: true

useAck

Currently the Connector doesn’t support acknowledgements. For the Splunk S2S Source connector, this config should be configured to false.

  • Type: boolean
  • Default: false

useSSL

The Connector supports SSL. If user wants to enable SSL communication, this config should be configured to true.

  • Type: boolean
  • Default: false

Configure SSL communication for forwarders

  • To configure the forwarder to connect to the connector using SSL, use the following outputs.conf settings:

    [tcpout]
defaultGroup=splunk_s2s_connector

[tcpout:splunk_s2s_connector]
server=<connector_ip>:<connector_port>
useSSL=true
sslRootCAPath= /opt/splunk/etc/auth/mycerts/myCACertificate.pem

  • To configure client authentication in SSL communication between the forwarder and the connector using outputs.conf, use the following outputs.conf settings:

    [tcpout]
defaultGroup=splunk_s2s_connector

[tcpout:splunk_s2s_connector]
server=<connector_ip>:<connector_port>
useSSL=true
sslRootCAPath= /opt/splunk/etc/auth/mycerts/myCACertificate.pem
clientCert = /opt/splunk/etc/auth/mycerts/myClientCert.pem
sslPassword = myCertificatePassword

For more details, see Configure Splunk forwarding to use your own SSL certificates

compressed

The Splunk S2S Source connector supports compression. If you want to enable compression between forwarders and the connector, you should set compressed to true.

  • Type: boolean
  • Default: false

Configure Forward Server on Forwarders

  • To configure the forwarder to connect to the Connector using the Splunk CLI, run the following command:

    $SPLUNK_HOME/bin/splunk add forward-server <connector ip address>:<connector listening port>

  • To configure the forwarder to connect to the Connector using outputs.conf, use the following outputs.conf settings:

    [tcpout]
defaultGroup=splunk_s2s_connector

[tcpout:splunk_s2s_connector]
server=<connector_ip>:<connector_port>
useACK=false
useSSL=false
sendCookedData=true

For more details, see Configure forwarding with outputs.conf

Configure Inputs on Splunk Forwarder

File Monitor Input

You can configure monitoring file and directories using the CLI:

$SPLUNK_HOME/bin/splunk add monitor <path to file/directory>

  • The following example shows how to monitor files in the /var/log/ directory:

    $SPLUNK_HOME/bin/splunk add monitor /var/log/

  • The following example shows how to monitor the windowsupdate.log file where Windows logs automatic updates:

    $SPLUNK_HOME/bin/splunk add monitor c:\Windows\windowsupdate.log

For more details, see Configure File Monitoring Using CLI. To configure monitoring files and directories using inputs.conf, see Configure File Monitoring with inputs.conf.

Scripted Input

To configure scripts:

  1. Place the scripts in the $SPLUNK_HOME/bin/scripts directory.

  2. Configure scripted data input by editing the $SPLUNK_HOME/etc/system/local/inputs.conf file. Here is an example stanza:

    [script://$SPLUNK_HOME/bin/scripts/starter_script.sh]
disabled = false
host = some_host_value
index = main
interval = 30
source = my_db
sourcetype = my_db_data

    Note

    If the inputs.conf file doesn’t exist, create the file manually.

For more details regarding scripted input, see Configure Scripted Input.

Syslog Input

You can configure Syslog Input on Splunk universal forwarder by adding a network input to the forwarder(UF):

  • Using CLI:

    $SPLUNK_HOME/bin/splunk add udp|tcp <port> -sourcetype syslog

  • Using Configuration file inputs.conf. Here is an example stanza:

    [tcp://:<port>]
connection_host = dns
sourcetype = syslog

For more details regarding Syslog input, see Monitor Network Ports on Splunk forwarder.

Windows Event Log

Note

Windows Event Log Input is only available on forwarders that are installed on Windows machines.

To configure the Windows event log:

  • Edit the inputs.conf configuration file located at $SPLUNK_HOME\etc\system\local\inputs.conf by adding the following settings (you may need to create this file if it doesn’t exist):

    # Windows platform specific input processor.
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0

  • To configure Windows event log input to render event data as XML, configure the renderXml setting in the inputs.conf file as shown in the following example:

    [WinEventLog://Security]
disabled = 0
renderXml = 1

For more details regarding windows event log input, refer to Monitor Windows Event Log.