Splunk forwarder (Windows and Linux)
Configuration of log shipper 'splunk forwarder'
This section explains how you can configure 'Splunk' like a log shipper.
In order for the Splunk component to send the log details to the event gateway, users have to configure two elements.
Event Gateway Endpoint
Splunk configuration on Linux/Windows configuration
Step 1:
An example Event Gateway Endpoint configuration is captured in the below configuration snippet.
Gateway Endpoint:
endpoints:
- name: winodows_events
enabled: true
type: tcp_json
port: 9997
attrs:
site_code: dc1
archive_name: splunk_events
stream: windows-splunk-stream
Step 2:
Update the input and output.conf file from the below path:
Input conf file:
cd /opt/splunkforwarder/etc/system/local/
##Example adding messages##
[monitor:///var/log/messages*]
_TCP_ROUTING = *
disabled = false
outputs.conf file:
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://<event-gateway>:9997]
[tcpout:default-autolb-group]
disabled = false
sendCookedData = false
server = <event-gateway>:9997
#Example
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://10.95.131.101:9997]
[tcpout:default-autolb-group]
disabled = false
sendCookedData = false
server = 10.95.131.101:9997
Step 3:
Restart splunk service
cd opt/splunkforwarder/bin
./splunk stop
./splunk start
Last updated