Manually configure log collection for *nix on Splunk App for Infrastructure
Admin privileges are required to configure metrics collection.
Install and configure a universal forwarder manually to collect logs on a *nix host instead of using the script when:
- You are installing the universal forwarder on a closed network
- You already have a universal forwarder on the host from which you want to collect data for the app
- You do not have trusted URLs from which you can download the universal forwarder package
If you manually configure log collection, you also need to manually configure metrics collection. For more information, see Manually configure metrics collection for *nix on Splunk App for Infrastructure.
Steps
Follow these steps to install a universal forwarder on a host and configure log collection from the host.
1. Install the universal forwarder
To install a universal forwarder on a *nix host, see Install a *nix universal forwarder.
2. Configure the inputs.conf file
Create and configure the inputs.conf
file to monitor files and directories from your *nix host in the Splunk App for Infrastructure.
- Go to the
${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local
directory. - If the
inputs.conf
file does not exist, create it. - Open the
inputs.conf
file with a text editor. - Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf.
- (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For more information, see Configuration settings and inputs.conf.
- Save and close the
inputs.conf
file. - Restart Splunk Enterprise.
Sample inputs.conf file
[monitor:///var/log/syslog] disabled = false sourcetype = syslog [monitor:///var/log/daemon.log] disabled = false sourcetype = syslog [monitor:///var/log/auth.log] disabled = false sourcetype = syslog [monitor:///var/log/apache/access.log] disabled = false sourcetype = combined_access [monitor:///var/log/apache/error.log] disabled = false sourcetype = combined_access [monitor:///opt/splunkforwarder/var/log/splunk/*.log] disabled = false index = _internal [monitor:///etc/collectd/collectd.log] disabled = false index = _internal
3. Configure the outputs.conf file
Create and configure the outputs.conf
file to define how the universal forwarder sends data to your Splunk Enterprise instance.
- Go to the
${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local
directory. - If the
outputs.conf
file does not exist, create it. - Open the
outputs.conf
file with a text editor. - Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For information, see Configuration levels for outputs.conf.
- Save and close the
outputs.conf
file. - Restart Splunk Enterprise.
Sample outputs.conf file
[tcpout] defaultGroup = splunk-app-infra-autolb-group [tcpout:splunk-app-infra-autolb-group] disabled = false server = serverName:9997
Manually configure metrics and log collection for Windows on Splunk App for Infrastructure | Manually configure metrics collection for *nix on Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.2.0, 1.2.1, 1.2.2, 1.2.3
Feedback submitted, thanks!