Splunk forwarder (Windows and Linux)

Configuration of log shipper 'splunk forwarder'

This section explains how you can configure 'Splunk' like a log shipper.

In order for the Splunk component to send the log details to the event gateway, users have to configure two elements.

Event Gateway Endpoint
Splunk configuration on Linux/Windows configuration

Step 1:

An example Event Gateway Endpoint configuration is captured in the below configuration snippet.

Gateway Endpoint:
endpoints:
- name: winodows_events
  enabled: true
  type: tcp_json
  port: 9997
  attrs:
    site_code: dc1
    archive_name: splunk_events
  stream: windows-splunk-stream

Step 2:

Update the input and output.conf file from the below path:

Input conf file:

cd /opt/splunkforwarder/etc/system/local/

##Example adding messages##
[monitor:///var/log/messages*]
_TCP_ROUTING = *
disabled = false

outputs.conf file:

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://<event-gateway>:9997]

[tcpout:default-autolb-group]
disabled = false
sendCookedData = false
server = <event-gateway>:9997

#Example 
[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://10.95.131.101:9997]

[tcpout:default-autolb-group]
disabled = false
sendCookedData = false
server = 10.95.131.101:9997

Step 3:

Restart splunk service

cd opt/splunkforwarder/bin
./splunk stop 
./splunk start

PreviousSyslog (udp)NextWinlogbeat (Windows)

Last updated 2 years ago