Howto configure SPLUNK Universal Forwarder

Configuration


Splunk Universal Forwarder


Configure outputs.conf file, located at /opt/splunkforwarder/etc/system/local/
with SSL put these stanza :
[tcpout]
defaultGroup = group1      # group name
disabled = false           # enable
isLoadBalanced = False     # no load balance
maxQueueSize = 1000        # queue size
indexAndForward = false    # false indexing

[tcpout:group1]
server = 192.168.5.101:4433                                     # splunk server
sslCertPath = /opt/splunkforwarder/etc/auth/server.pem          # ssl cert
sslPassword = $1$u0oVxHiXnWyJ                                   # password will be encrypted automatically
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem        # ssl ca

server.pem and cacert.pem you can get it from splunk server, located at /opt/splunk/etc/auth/ copy that files to splunkforwarder.

Without SSL put these stanza:
[tcpout]
defaultGroup = group1      # group name
disabled = false           # enable
isLoadBalanced = False     # no load balance
maxQueueSize = 1000        # queue size
indexAndForward = false    # false indexing

[tcpout:group1]
server = 192.168.5.101:9997  # using 9997 and splunk server address is 192.168.5.101

Configure inputs.conf file, located at /opt/splunkforwarder/etc/system/local/
put these stanza :
[default]
host = dagelan.humor.com     # register splunk forwarder host

[monitor:///var/log]         # send all log files located at /var/log

[monitor:///var/ossec/log]   # send all ossec log files located at /var/ossec/log/


Check universal forwarder connection
# tail -f /opt/splunkforwarder/var/log/splunk/splunkd.log


02-20-2012 09:51:52.068 +0700 INFO  loader - Instantiated plugin: controlqueueoutputprocessor
02-20-2012 09:51:52.068 +0700 INFO  PipelineComponent - Pipeline merging disabled in *mode.conf file
02-20-2012 09:51:52.068 +0700 INFO  PipelineComponent - Pipeline typing disabled in *mode.conf file
02-20-2012 09:51:52.068 +0700 INFO  PipelineComponent - Launching the pipelines.
02-20-2012 09:51:52.069 +0700 INFO  loader - Server supporting SSL v2/v3
02-20-2012 09:51:52.069 +0700 INFO  loader - Using cipher suite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
02-20-2012 09:51:52.170 +0700 INFO  TailingProcessor - TailWatcher initializing...
02-20-2012 09:51:52.170 +0700 INFO  TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk.
02-20-2012 09:51:52.172 +0700 INFO  TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/...stash_new.
02-20-2012 09:51:52.172 +0700 INFO  TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/splunk.version.
02-20-2012 09:51:52.173 +0700 INFO  TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk.
02-20-2012 09:51:52.173 +0700 INFO  TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log.
02-20-2012 09:51:52.173 +0700 INFO  TailingProcessor - Parsing configuration stanza: monitor:///var/log/httpd/modsec_audit.log.
02-20-2012 09:51:52.173 +0700 INFO  BatchReader - State transitioning from 2 to 0 (initOrResume).
02-20-2012 09:51:52.375 +0700 INFO  WatchedFile - Will begin reading at offset=49285496 for file='/var/log/httpd/modsec_audit.log'.
02-20-2012 09:51:52.996 +0700 WARN  TcpOutputFd - Connect to 192.168.5.101:9997 failed. Connection refused
02-20-2012 09:51:52.996 +0700 ERROR TcpOutputFd - Connection to host=192.168.5.101:9997 failed
02-20-2012 09:51:59.065 +0700 INFO  TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
02-20-2012 09:52:22.007 +0700 INFO  TcpOutputProc - Connected to idx=192.168.5.101:9997


Splunk Server


At splunk server just configure the inputs.conf at /opt/splunk/etc/system/local/
With SSL put these stanza :
[default]
host = ketoprak.humor.com       # splunk server hostname
# The following configuration sets a global default for data payloads sent from the light forwarder.
# The route parameter is an ordered set of rules that is evaluated in order for each payload of cooked data.

[splunktcp]
route = has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue;
[splunktcp-ssl:4433]            # using 4433 port for SSL
disabled = false
sourcetype = tcp-4433
queue=indexQueue

[SSL]
password = $1$1JEfLZrTO062
requireClientCert = false
rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem

open 4433 port
# iptables -I INPUT -p tcp -s 192.168.5.102 --dport 4433 -j ACCEPT

check port listening
# netstat -tnap | grep -e 4433


Without SSL put these stanza :
[default]
host = ketoprak.humor.com   # splunk server hostname

# The following configuration directs Splunk to listen on TCP port 9997 for raw data from ANY remote server 
# (not just a Splunk instance). The host of the data is set to the IP address of the remote server.
[tcp://:9997]
disabled = 0

# The following configuration sets a global default for data payloads sent from the light forwarder.
# The route parameter is an ordered set of rules that is evaluated in order for each payload of cooked data.
[splunktcp]
route = has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue;

# The following configuration directs Splunk to listen on TCP port 9997 for distributed search data from  
# 192.168.5.102. The data is processed the same as locally indexed data.
[splunktcp://192.168.5.102:9997]
disabled = false
queue = parsingQueue
sourcetype = tcp-9968

open 9997 port
# iptables -I INPUT -p tcp -s 192.168.5.102 --dport 9997 -j ACCEPT

check port listening
# netstat -tnap | grep -e 9997

Check universal forwarder connection
# tail -f /opt/splunk/var/log/splunk/splunkd.log

Comments