Splunk® App for Infrastructure

Administer Splunk App for Infrastructure

Download manual as PDF

Download topic as PDF

Manually configure log collection on a *nix host for Splunk App for Infrastructure

To configure data collection, you must log in to an account with permissions to use sudo for root access. Do not log in as the root user.

Install and configure a universal forwarder manually to collect logs on a *nix host instead of using the script when:

  • You are installing the universal forwarder on a closed network.
  • You already have a universal forwarder on the host from which you want to collect data.
  • You do not have trusted URLs from which you can download the universal forwarder package.

If you manually configure log collection, you also need to manually configure metrics collection. For more information, see Manually configure metrics collection on a *nix host for Splunk App for Infrastructure.

Steps

Follow these steps to install a universal forwarder on a host and configure log collection from the host.

1. Install the universal forwarder

To install a universal forwarder on a *nix host, see Install a *nix universal forwarder.

2. Configure the inputs.conf file

Create and configure the inputs.conf file to monitor files and directories from your *nix host in the Splunk App for Infrastructure (SAI). You can also configure collectd to forward metrics data to a local universal forwarder. For more information, see Send collectd data to a universal forwarder.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. If the inputs.conf file does not exist, create it.
  3. Open the inputs.conf file with a text editor.
  4. Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf.
  5. (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For more information, see Configuration settings and inputs.conf.
  6. Save and close the inputs.conf file.
  7. Restart Splunk Enterprise.

Sample inputs.conf file

[monitor:///var/log/syslog]
disabled = false
sourcetype = syslog

[monitor:///var/log/daemon.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/auth.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/apache/access.log]
disabled = false
sourcetype = combined_access

[monitor:///var/log/apache/error.log]
disabled = false
sourcetype = combined_access

[monitor:///opt/splunkforwarder/var/log/splunk/*.log]
disabled = false
index = _internal

[monitor:///etc/collectd/collectd.log]
disabled = false
index = _internal

3. Configure the outputs.conf file

Create and configure the outputs.conf file to define how the universal forwarder sends data to your Splunk Enterprise instance.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. If the outputs.conf file does not exist, create it.
  3. Open the outputs.conf file with a text editor.
  4. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For information, see Configuration levels for outputs.conf.
  5. Save and close the outputs.conf file.
  6. Restart Splunk Enterprise.

Sample outputs.conf file

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = serverName:9997
PREVIOUS
Configure Linux/Unix data collection for Splunk App for Infrastructure
  NEXT
Manually configure metrics collection on a *nix host for Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure: 1.3.0, 1.3.1, 1.4.0, 1.4.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters