{"id":4026,"date":"2017-09-18T20:22:02","date_gmt":"2017-09-18T18:22:02","guid":{"rendered":"http:\/\/www.laurentmarot.fr\/wordpress\/?p=4026"},"modified":"2017-09-20T08:29:42","modified_gmt":"2017-09-20T06:29:42","slug":"how-do-i-configure-a-splunk-forwarder-on-linux","status":"publish","type":"post","link":"https:\/\/www.laurentmarot.fr\/wordpress\/?p=4026","title":{"rendered":"How do I configure a Splunk Forwarder on Linux?"},"content":{"rendered":"<p><strong><br \/>\nFrom Splunk Command Line Reference:<\/strong><br \/>\n<a href=\"http:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/Admin\/AccessandusetheCLIonaremoteserver\">http:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/Admin\/AccessandusetheCLIonaremoteserver<\/a><\/p>\n<p><u>Note:<\/u> the CLI may ask you to authenticate \u2013 it\u2019s asking for the LOCAL credentials, so if you haven\u2019t changed the admin password on the forwarder, you should use <em>admin\/changeme<\/em><\/p>\n<p><strong>Steps for Installing\/Configuring Linux forwarders:<\/strong><\/p>\n<p><strong>Step 1:<\/strong> Download Splunk Universal Forwarder: <a href=\"http:\/\/www.splunk.com\/download\/universalforwarder\">http:\/\/www.splunk.com\/download\/universalforwarder<\/a> (64bit package if applicable!). You will have to create an account to download any piece of Splunk software<\/p>\n<p><strong>Step 2:<\/strong> Install Forwarder<\/p>\n<p><code><strong><span style=\"color: #0000ff;\">tar -xvf splunkforwarder-6.6.3-e21ee54bc796-Linux-x86_64.tgz -C \/opt<\/span><\/strong><\/code><\/p>\n<p>It will install the splunk code in \/opt\/splunforwarder directory<\/p>\n<p><strong>Step 3:<\/strong> Enable boot-start\/init script:<\/p>\n<p><code><strong><span style=\"color: #0000ff;\">\/opt\/splunkforwarder\/bin\/splunk enable boot-start<\/span><\/strong><\/code><\/p>\n<p>(start splunk: <span style=\"color: #0000ff;\"><strong><code><span style=\"color: #0000ff;\">\/opt\/splunkforwarder\/splunk start<\/span><\/code><\/strong><\/span>)<\/p>\n<p><strong>Step 4:<\/strong> Enable Receiving input on the <strong>Index Server<\/strong><\/p>\n<p>Configure the Splunk Index Server to receive data, either in the manager:<\/p>\n<ul>\n<li>using the web GUI : Manager -&gt; sending and receiving -&gt; configure receiving -&gt; new<\/li>\n<li>using the CLI: <span style=\"color: #0000ff;\"><strong><code>\/opt\/splunk\/bin\/splunk enable listen 9997<\/code><\/strong><\/span><\/li>\n<\/ul>\n<div id=\"attachment_4032\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"http:\/\/www.laurentmarot.fr\/wordpress\/wp-content\/uploads\/2017\/09\/Capture-du-2017-09-18-20-39-46.png\" rel=\"lightbox[4026]\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4032\" class=\"size-medium wp-image-4032\" src=\"http:\/\/www.laurentmarot.fr\/wordpress\/wp-content\/uploads\/2017\/09\/Capture-du-2017-09-18-20-39-46-300x113.png\" alt=\"Enable receiving on Iddexer \" width=\"300\" height=\"113\" srcset=\"https:\/\/www.laurentmarot.fr\/wordpress\/wp-content\/uploads\/2017\/09\/Capture-du-2017-09-18-20-39-46-300x113.png 300w, https:\/\/www.laurentmarot.fr\/wordpress\/wp-content\/uploads\/2017\/09\/Capture-du-2017-09-18-20-39-46-768x290.png 768w, https:\/\/www.laurentmarot.fr\/wordpress\/wp-content\/uploads\/2017\/09\/Capture-du-2017-09-18-20-39-46-1024x386.png 1024w, https:\/\/www.laurentmarot.fr\/wordpress\/wp-content\/uploads\/2017\/09\/Capture-du-2017-09-18-20-39-46.png 1098w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-4032\" class=\"wp-caption-text\">Enable receiving on Iddexer<\/p><\/div>\n<p>Where 9997 (default) is the receiving port for Splunk Forwarder connections<\/p>\n<p><strong>Step 5:<\/strong> Configure Forwarder connection to Index Server:<\/p>\n<p><strong><span style=\"color: #0000ff;\"><code>\/opt\/splunkforwarder\/bin\/splunk add forward-server hostname.domain:9997<\/code><\/span><\/strong><\/p>\n<p>(where hostname.domain is the fully qualified address or IP of the index server (like indexer.splunk.com), and 9997 is the receiving port you create on the Indexer<\/p>\n<p><strong>Step 6:<\/strong> Test Forwarder connection:<\/p>\n<p><code><span style=\"color: #0000ff;\"><strong>\/opt\/splunkforwarder\/bin\/splunk list forward-server<\/strong><\/span><\/code><\/p>\n<p><strong>Step 7:<\/strong> Add Data:<\/p>\n<p><strong><span style=\"color: #0000ff;\"><code><span style=\"color: #0000ff;\">\/opt\/splunkforwarder\/bin\/splunk add monitor \/path\/to\/app\/logs\/ -index main -sourcetype %app%<\/span><\/code><\/span><\/strong><\/p>\n<p>Where<\/p>\n<p>\/path\/to\/app\/logs\/ is the path to application logs on the host that you want to bring into Splunk,<br \/>\n%app% is the name you want to associate with that type of data<\/p>\n<p>This will create a file: inputs.conf in \/opt\/splunkforwarder\/etc\/apps\/search\/local\/<\/p>\n<p>&#8212; here is some documentation on inputs.conf: http:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/admin\/Inputsconf<\/p>\n<p><u>Note:<\/u> System logs in \/var\/log\/ are covered in the configuration part of Step 7. If you have application logs in \/var\/log\/*\/<\/p>\n<p><strong>Step 8 (Optional):<\/strong> Install and Configure UNIX app on Indexer and nix forwarders:<\/p>\n<p>On the Splunk Indexer, go to Apps -&gt; Manage Apps -&gt; Find more Apps Online -&gt; Search for \u2018<em><strong>Splunk App for Unix and Linux<\/strong><\/em>\u2019 -&gt; Install the \u00ab\u00a0Splunk App for Unix and Linux&rsquo; Restart Splunk if prompted, Open UNIX app -&gt; Configure<\/p>\n<p>Once you\u2019ve configured the UNIX app on the server, you&rsquo;ll want to install the related Add-on: \u00ab\u00a0<em><strong>Splunk Add-on for Unix and Linux<\/strong><\/em>\u00a0\u00bb on the Universal Forwarder.<\/p>\n<p>Go to http:\/\/apps.splunk.com\/ and find the \u00ab\u00a0Splunk Add-on for Unix and Linux\u00a0\u00bb (Note you want the <strong>ADD-ON<\/strong>, not the <strong>APP <\/strong>&#8211; there is a big difference!).<\/p>\n<p>Copy the contents of the Add-On zip file to the Universal Forwarder, in: \/opt\/splunkforwarder\/etc\/apps\/.<\/p>\n<p>If done correctly, you will have the directory \u00ab\u00a0\/opt\/splunkforwarder\/etc\/apps\/Splunk_TA_nix\u00a0\u00bb and inside it will be a few directories along with a README &amp; license files.<\/p>\n<p>Restart the Splunk forwarder (\/opt\/splunkforwarder\/bin\/splunk restart)<\/p>\n<p><u>Note:<\/u> The data collected by the unix app is by default placed into a separate index called \u2018os\u2019 so it will not be searchable within splunk unless you either go through the UNIX app, or include the following in your search query: \u201cindex=os\u201d or \u201cindex=os OR index=main\u201d (don\u2019t paste doublequotes).<\/p>\n<p>You also will have to install<em><strong> sysstat<\/strong> <\/em>if you want to monitor your server resources.<\/p>\n<p><strong>Step 9 (Optional):<\/strong> Customize UNIX app configuration on forwarders:<\/p>\n<p>Look at inputs.conf in \/opt\/splunkforwarder\/etc\/apps\/unix\/local\/ and \/opt\/splunkforwarder\/etc\/apps\/unix\/default\/ The ~default\/inputs. path shows what the app can do, but everything is disabled.<\/p>\n<p>The ~local\/inputs.conf shows what has been enabled \u2013 if you want to change polling intervals or disable certain scripts, make the changes in ~local\/inputs.conf.<\/p>\n<p><strong>Step 10 (Optional):<\/strong> Configure File System Change Monitoring (for configuration files): <a href=\"http:\/\/docs.splunk.com\/Documentation\/Splunk\/4.3.2\/Data\/Monitorchangestoyourfilesystem\">http:\/\/docs.splunk.com\/Documentation\/Splunk\/4.3.2\/Data\/Monitorchangestoyourfilesystem<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Note that Splunk also has a centralized configuration management server called <strong>Deployment Server<\/strong>. This can be used to define server classes and push out specific apps and configurations to those classes. So you may want to have your production servers class have the unix app configured to execute those scripts listed in ~local\/inputs at the default values, but maybe your QA servers only need a few of the full stack, and at longer polling intervals.<\/p>\n<p>Using Deployment Server, you can configure these classes, configure the app once centrally, and push the appropriate app\/configuration to the right systems.<\/p>\n<p>Enjoy !<\/p>\n<p>Need Help troubleshooting ?<\/p>\n<p>Do the same on Microsoft Windows Platform : click, click, click &#8230;<\/p>\n<p>Splunk official how-to on that part: <a href=\"http:\/\/docs.splunk.com\/Documentation\/Splunk\/6.2.3\/Data\/Useforwardingagentstogetdata\">http:\/\/docs.splunk.com\/Documentation\/Splunk\/6.2.3\/Data\/Useforwardingagentstogetdata<\/a><\/p>\n\n","protected":false},"excerpt":{"rendered":"<p>From Splunk Command Line Reference: http:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/Admin\/AccessandusetheCLIonaremoteserver Note: the CLI may ask you to authenticate \u2013 it\u2019s asking for the LOCAL credentials, so if you haven\u2019t changed the admin password on the forwarder, you should use admin\/changeme Steps for Installing\/Configuring Linux forwarders: Step 1: Download Splunk Universal Forwarder: http:\/\/www.splunk.com\/download\/universalforwarder (64bit package if applicable!). You will have [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,60],"tags":[],"_links":{"self":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4026"}],"collection":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4026"}],"version-history":[{"count":16,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4026\/revisions"}],"predecessor-version":[{"id":4043,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4026\/revisions\/4043"}],"wp:attachment":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}