Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Manually configure log collection for *nix on Splunk App for Infrastructure

Admin privileges are required to configure metrics collection.

Install and configure a universal forwarder manually to collect logs on a *nix host instead of using the script when:

  • You are installing the universal forwarder on a closed network
  • You already have a universal forwarder on the host from which you want to collect data for the app
  • You do not have trusted URLs from which you can download the universal forwarder package

If you manually configure log collection, you also need to manually configure metrics collection. For more information, see Manually configure metrics collection for *nix on Splunk App for Infrastructure.

Steps

Follow these steps to install a universal forwarder on a host and configure log collection from the host.

1. Install the universal forwarder

To install a universal forwarder on a *nix host, see Install a *nix universal forwarder.

2. Configure the inputs.conf file

Create and configure the inputs.conf file to monitor files and directories from your *nix host in the Splunk App for Infrastructure.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. If the inputs.conf file does not exist, create it.
  3. Open the inputs.conf file with a text editor.
  4. Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf.
  5. (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For more information, see Configuration settings and inputs.conf.
  6. Save and close the inputs.conf file.
  7. Restart Splunk Enterprise.

Sample inputs.conf file

[monitor:///var/log/syslog]
disabled = false
sourcetype = syslog

[monitor:///var/log/daemon.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/auth.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/apache/access.log]
disabled = false
sourcetype = combined_access

[monitor:///var/log/apache/error.log]
disabled = false
sourcetype = combined_access

[monitor:///opt/splunkforwarder/var/log/splunk/*.log]
disabled = false
index = _internal

[monitor:///etc/collectd/collectd.log]
disabled = false
index = _internal

3. Configure the outputs.conf file

Create and configure the outputs.conf file to define how the universal forwarder sends data to your Splunk Enterprise instance.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. If the outputs.conf file does not exist, create it.
  3. Open the outputs.conf file with a text editor.
  4. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For information, see Configuration levels for outputs.conf.
  5. Save and close the outputs.conf file.
  6. Restart Splunk Enterprise.

Sample outputs.conf file

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = serverName:9997
Last modified on 11 January, 2019
PREVIOUS
Manually configure metrics and log collection for Windows on Splunk App for Infrastructure 		  NEXT
Manually configure metrics collection for *nix on Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.2.0, 1.2.1, 1.2.2, 1.2.3

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters