Manually configure log collection on a *nix host for Splunk App for Infrastructure
To configure data collection, you must log in to an account with permissions to use sudo for root access. Do not log in as the root user.
Install and configure a universal forwarder manually to collect logs on a *nix host instead of using the script when:
- You are installing the universal forwarder on a closed network.
- You already have a universal forwarder on the host from which you want to collect data.
- You do not have trusted URLs from which you can download the universal forwarder package.
If you manually configure log collection, you also need to manually configure metrics collection. For more information, see Manually configure metrics collection on a *nix host for Splunk App for Infrastructure.
Steps
Follow these steps to install a universal forwarder on a host and configure log collection from the host.
1. Install the universal forwarder
To install a universal forwarder on a *nix host, see Install a *nix universal forwarder.
2. Configure the inputs.conf file
Create and configure the inputs.conf
file to monitor files and directories from your *nix host in the Splunk App for Infrastructure (SAI). You can also configure collectd to forward metrics data to a local universal forwarder. For more information, see Send collectd data to a universal forwarder.
- Go to the
${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local
directory. - If the
inputs.conf
file does not exist, create it. - Open the
inputs.conf
file with a text editor. - Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf.
- (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For more information, see Configuration settings and inputs.conf.
- Save and close the
inputs.conf
file. - Restart Splunk Enterprise.
Sample inputs.conf file
[monitor:///var/log/syslog] disabled = false sourcetype = syslog [monitor:///var/log/daemon.log] disabled = false sourcetype = syslog [monitor:///var/log/auth.log] disabled = false sourcetype = syslog [monitor:///var/log/apache/access.log] disabled = false sourcetype = combined_access [monitor:///var/log/apache/error.log] disabled = false sourcetype = combined_access [monitor:///opt/splunkforwarder/var/log/splunk/*.log] disabled = false index = _internal [monitor:///etc/collectd/collectd.log] disabled = false index = _internal
3. Configure the outputs.conf file
Create and configure the outputs.conf
file to define how the universal forwarder sends data to your Splunk Enterprise instance.
- Go to the
${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local
directory. - If the
outputs.conf
file does not exist, create it. - Open the
outputs.conf
file with a text editor. - Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For information, see Configuration levels for outputs.conf.
- Save and close the
outputs.conf
file. - Restart Splunk Enterprise.
Sample outputs.conf file
[tcpout] defaultGroup = splunk-app-infra-autolb-group [tcpout:splunk-app-infra-autolb-group] disabled = false server = serverName:9997
Collect Linux/Unix metrics and logs with Splunk App for Infrastructure | Manually configure metrics collection on a *nix host for Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (EOL): 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only
Feedback submitted, thanks!