Splunk® IT Essentials Work

Entity Integrations Manual

Manually collect logs from a *nix host in ITE Work

You can manually set up a universal forwarder to collect logs from a *nix host. Manually configure log collection for a host when you meet at least one of these conditions:

  • You're collecting data from a host on a closed network with no internet access.
  • You already installed a universal forwarder on the host.
  • You don't have trusted URLs you can download the required packages from.

If you also want to collect metrics data from a Linux host, see Manually collect metrics from a *nix host in ITE Work.

Prerequisites

Requirement Description
*nix host *nix integration operating system support
Administrator role

In Splunk Enterprise, you have to be a user with the admin role.

In Splunk Cloud Platform, you have to be a user with the sc_admin role.

Steps

Follow these steps to install a universal forwarder on a host and configure log collection.

1. Install the universal forwarder

Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a *nix universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

2. Configure inputs.conf on the universal forwarder

Configure the inputs.conf on the universal forwarder file to monitor files and directories from your host in ITE Work.

  1. Create the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory if it doesn't already exist.
  2. Create inputs.conf if it doesn't already exist.
  3. Open inputs.conf with a text editor.
  4. Add these stanzas to configure the host and receiving port:
    host = <monitoring_machine>
    
    tcp://<receiver_port>
    
    Setting Description
    monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
    receiver_port The port that your Splunk platform deployment uses to receive data.
  5. Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In guide.
  6. (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For example, this stanza monitors a syslog file at /var/log/syslog:
    [monitor:///var/log/syslog]
    disabled = false
    sourcetype = syslog
    
    For more information, see Configuration settings in the Splunk Enterprise Getting Data in guide and inputs.conf in the Splunk Enterprise Admin Manual.
  7. Save and close the inputs.conf file.
  8. Restart splunkd. If you also need to configure outputs.conf in the next step, you can wait to restart splunkd until after you've configured outputs.conf as well.
    $SPLUNK_HOME/bin/splunk restart
    

3. Configure outputs.conf on the universal forwarder

Configure outputs.conf on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. Open outputs.conf with a text editor.
  3. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
  4. Save and close outputs.conf.
  5. Restart splunkd.
    $SPLUNK_HOME/bin/splunk restart
    

Example inputs.conf for a universal forwarder

[monitor:///var/log/syslog]
disabled = false
sourcetype = syslog

[monitor:///var/log/daemon.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/auth.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/apache/access.log]
disabled = false
sourcetype = combined_access

[monitor:///var/log/apache/error.log]
disabled = false
sourcetype = combined_access

[monitor:///opt/splunkforwarder/var/log/splunk/*.log]
disabled = false
index = _internal

[monitor:///etc/collectd/collectd.log]
disabled = false
index = _internal

Example outputs.conf for a universal forwarder

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = <monitoring_machine>:<receiver_port>
Setting Description
monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
receiver_port The port that your Splunk platform deployment uses to receive data.
Last modified on 28 February, 2024
Manually collect metrics from a *nix host in   Troubleshoot the Unix and Linux entity integration in

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters