Splunk® Enterprise

Add Cisco ASA data: Distributed deployment with indexer clustering

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install a universal forwarder on the same host as the syslog-ng server

Complete the following steps to install a Linux-based universal forwarder on your syslog-ng server to forward your Cisco ASA deployment-related syslog messages.

Install a universal forwarder with Linux

To install a universal forwarder and connect it to your Splunk platform deployment using Linux, perform the following steps:

  1. Download the Splunk universal forwarder for Linux.
  2. Install the universal forwarder.
  3. Start the universal forwarder.
  4. Configure the universal forwarder.
  5. Enable forwarder management in Splunk Web.

Download the universal forwarder

  1. Download the Splunk universal forwarder.
  2. Choose the platform installation package that applies to your operating system.
  3. Click Download Now.
  4. Read and agree to the Splunk Software License Agreement.
  5. Click Start Your Download Now.
  6. Move the downloaded package to the directory where you want to install the universal forwarder.

Install the universal forwarder

Install the universal forwarder on the computer that contains or has access to the data that you want to collect and forward to your Splunk Enterprise instance. To install the universal forwarder on a different computer, copy the universal forwarder package file to that machine before you perform this task. The universal forwarder installs by default in the splunkforwarder directory.

To install in a specific directory, either change directories to where you want to install the forwarder, or place the tar file in that directory before you run the tar command.

  • To expand the tar file into an appropriate directory using the tar command. The default installation location is under splunk in the current working directory:
tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz
  • To install into /opt/splunkforwarder, run the following command:
tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz -C /opt

Start the universal forwarder

Start the universal forwarder so that it can take configurations and forward data.

  1. Start the universal forwarder:
    cd $SPLUNK_HOME/bin ./splunk start

    When you start the forwarder for the first time, it prompts you to create an admin password:

    This appears to be your first time running this version of Splunk.
    
    An Admin password must be set before installation proceeds.
    Password must contain at least:
    * 8 total printable ASCII character(s).
    Please enter a new password:
  2. The forwarder presents the license agreement. To accept the license agreement without reviewing it, run the following command:
    cd $SPLUNK_HOME/bin ./splunk start --accept-license
  3. To confirm the forwarder is running, run a status command:
    $SPLUNK_HOME/bin ./splunk status
  4. Restart the universal forwarder:
    cd $SPLUNK_HOME/bin ./splunk restart

Configure the universal forwarder to connect to the receiving port

From a shell or command prompt on the forwarder, run the following command:

./splunk add forward-server <host name or ip address>:<listening port>

For example, to connect to a receiver with the hostname idx.mycompany.com and with that host listening on port 9997 for forwarders, type this command:

./splunk add forward-server idx1.mycompany.com:9997
Last modified on 27 August, 2021
PREVIOUS
Configure a syslog-ng server
  NEXT
Install the Splunk Add-on for Cisco ASA on to your Splunk platform deployment

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters