Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.

Manually configure log collection on a *nix host for Splunk App for Infrastructure

To configure data collection, you must log in to an account with permissions to use sudo for root access. Do not log in as the root user.

Install and configure a universal forwarder manually to collect logs on a *nix host instead of using the script when:

  • You are installing the universal forwarder on a closed network.
  • You already have a universal forwarder on the host from which you want to collect data.
  • You do not have trusted URLs from which you can download the universal forwarder package.

If you manually configure log collection, you also need to manually configure metrics collection. For more information, see Manually configure metrics collection on a *nix host for Splunk App for Infrastructure.

Steps

Follow these steps to install a universal forwarder on a host and configure log collection from the host.

1. Install the universal forwarder

To install a universal forwarder on a *nix host, see Install a *nix universal forwarder.

2. Configure the inputs.conf file

Create and configure the inputs.conf file to monitor files and directories from your *nix host in the Splunk App for Infrastructure (SAI). You can also configure collectd to forward metrics data to a local universal forwarder. For more information, see Send collectd data to a universal forwarder.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. If the inputs.conf file does not exist, create it.
  3. Open the inputs.conf file with a text editor.
  4. Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf.
  5. (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For more information, see Configuration settings and inputs.conf.
  6. Save and close the inputs.conf file.
  7. Restart Splunk Enterprise.

Sample inputs.conf file

[monitor:///var/log/syslog]
disabled = false
sourcetype = syslog

[monitor:///var/log/daemon.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/auth.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/apache/access.log]
disabled = false
sourcetype = combined_access

[monitor:///var/log/apache/error.log]
disabled = false
sourcetype = combined_access

[monitor:///opt/splunkforwarder/var/log/splunk/*.log]
disabled = false
index = _internal

[monitor:///etc/collectd/collectd.log]
disabled = false
index = _internal

3. Configure the outputs.conf file

Create and configure the outputs.conf file to define how the universal forwarder sends data to your Splunk Enterprise instance.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. If the outputs.conf file does not exist, create it.
  3. Open the outputs.conf file with a text editor.
  4. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For information, see Configuration levels for outputs.conf.
  5. Save and close the outputs.conf file.
  6. Restart Splunk Enterprise.

Sample outputs.conf file

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = serverName:9997
Last modified on 07 July, 2020
Collect Linux/Unix metrics and logs with Splunk App for Infrastructure   Manually configure metrics collection on a *nix host for Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters