Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Configure targeted packet capture

To collect full network packets using targeted packet capture, you must map your Splunk Stream deployment to a remote file server. Stream forwarder uses the file server to store pcap files that it generates based on packet stream definitions. For more information, see Configure packet streams in the Spunk Stream User Manual.

Map deployment to remote file server

Targeted packet capture requires mapping of your Splunk Stream deployment to a remote file server. Before you create new packet streams in splunk_app_stream, complete the following configuration steps:

1. Set up and mount file server

  1. If necessary, create a NFS (or similar) file server volume. For more information, see Set up a NFS server.
  2. On the host machine running the streamfwd binary, mount the file server volume. (This applies to both Splunk_TA_stream and indpenedent Stream forwarder deployments.)

2. Add file server parameters to streamfwd.conf

  1. Edit local/streamfwd.conf
  2. Add the following parameters to the [streamfwd] stanza:
    fileServerId = <value>
    fileServerMountPoint = <value>
    

    For example:

    [streamfwd]
    fileServerId = nfs://192.168.6.1/packetcaptures
    fileServerMountPoint = /usr/local/packetcaptures
    
  3. Restart Splunk.

3. Mount file server on search head

On the search head running splunk_app_stream, create a mount point. For more information, see Setting up a NFS client.

4. Configure mount point for file server

  1. In the splunk_app_stream UI, click Configuration > File Server Mount Points.
  2. Click Add File Server.
  3. Specify the File Server and Mount Point. Click Create.

Create new packet streams

After mapping your Splunk Stream deployment to your remote file server, you are ready to create new packets streams and collect full network packets using targeted packet capture.

  1. In splunk_app_stream, click Configuration > Configure Streams.
  2. Click New Stream > Packet Stream.
  3. Follow the steps in the workflow wizard to configure your packet stream. For detailed instructions, see Configure packet streams.
Last modified on 11 July, 2017
Configure file extraction   Configure Flow collector

This documentation applies to the following versions of Splunk Stream: 7.1.0, 7.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters