Splunk Stream

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of StreamApp. Click here for the latest version.
Download topic as PDF

Configure targeted packet capture

To collect full network packets using targeted packet capture, you must map your Splunk Stream deployment to a remote file server. Stream forwarder uses the file server to store pcap files that it generates based on packet stream definitions. For more information, see Configure packet streams in the Splunk Stream User Manual.

Map deployment to remote file server

To configure targeted packet capture you map your Splunk Stream deployment to a remote file server. Before you create new packet streams in splunk_app_stream, complete the following configuration steps:

1. Set up and mount the file server

  1. Make sure you have an NFS (or similar) file server volume. To create one, see Set up a NFS server.
  2. On the host machine running the streamfwd binary, mount your file server volume. (This applies to both Splunk_TA_stream and independent Stream forwarder deployments.)

2. Add file server parameters to streamfwd.conf

  1. In $SPLUNK_HOME/etc/apps/Splunk_TA_stream/ open local/streamfwd.conf
  2. Add the following parameters to the [streamfwd] stanza:
  3. fileServerId = <value>
    fileServerMountPoint = <value>
    

    For example:

    [streamfwd]
    fileServerId = nfs://192.168.6.1/packetcaptures
    fileServerMountPoint = /usr/local/packetcaptures
    
  4. Restart Splunk.

3. Mount file server on search head

On the search head running splunk_app_stream, create a mount point. For more information, see Setting up a NFS client.

4. Configure mount point for file server

  1. In the splunk_app_stream UI, click Configuration > File Server Mount Points.
  2. Click Add File Server.
  3. Specify the File Server and Mount Point. Click Create.

Create new packet streams

After mapping your Splunk Stream deployment to your remote file server, you are ready to create new packets streams and collect full network packets using targeted packet capture.

  1. In splunk_app_stream, click Configuration > Configure Streams.
  2. Click New Stream > Packet Stream.
  3. Follow the steps in the workflow wizard to configure your packet stream. For detailed instructions, see Configure packet streams.
Last modified on 02 August, 2020
PREVIOUS
Configure file extraction
  NEXT
Configure Flow collector

This documentation applies to the following versions of Splunk Stream: 7.1.2, 7.1.3, 7.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters