Configure Forwarder Parameters in streamfwd.conf
Edit streamfwd.conf to specify system-level parameters for your Stream forwarders. You can configure streamfwd.conf to:
- listen on specific IP addresses and ports
- enable SSL
- redirect log files
- collect network events
- specify network interfaces
You can edit streamfwd.conf in:
- Splunk Add-on for Stream Forwarder, which is located at
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/default/ - Independent Stream Forwarders, which is located at
/opt/streamfwd/default/.
Streamfwd.conf parameters
streamfwd.conf configuration file accepts these parameters.
| Parameter | Description | Value type | Default value |
|---|---|---|---|
clientIpSslHashBytes
|
Defines the number of client IP octets to use for SSL processor thread hash algorithm. The minimum value = 0; The maximum value = 4. Applies only if you have _disabled_ useGlobalSSLSessionKeyCache | client IP octets | 2 |
dedicatedCaptureMode
|
Enables dedicated capture mode, which provides support for 10Gbps capture on compatible network interfaces. To enable dedicated capture mode, add dedicatedCaptureMode = 1 to streamfwd.conf
|
boolean | 0 (false) |
duplicatePacketWindow
|
Uses a rolling window to define the number of packets cached in memory. Set this to a value greater than zero to enable automatic de-duplication of network packets. | packets cached in-memory | 0 |
hideCreditCardNumbers
|
Masks credit card numbers. Set to false to show all credit card numbers.
|
boolean | true |
mapSslServers
|
Set to False to disable automatic caching of SSL server certificates to corresponding server's IP addresses. | boolean | true |
maxEventQueueSize
|
Specifies the maximum number of events queued for delivery to Splunk. | events | 10000 |
maxFieldSize
|
Defines maximum size of content field. | bytes | 10240 |
maxPacketQueueSize
|
Defines maximum size for each processing threads' packet queue. Must be a power of 2 for dedicated capture mode. | packets | 262144 |
maxTcpReassemblyPacketCount
|
Specifies the maximum number of TCP packets in reassembly queue per processing thread. | TCP packets | 500000 |
maxTcpSessionCount
|
Specifies the maximum number of concurrent TCP/UDP flows per processing thread. | TCP/UDP flows | 50000 |
pcapBufferSize
|
Specifies the buffer size for each network device. Increase the number of bytes if you see dropped packets. | bytes | 33554432 |
pingInterval
|
Modifies the ping server interval. | seconds | 5 |
processingThreads
|
Specifies the number of threads to use for processing network traffic. | threads | 2 |
sessionKeyTimeout
|
Specifies idle time before SSL session keys expire. | seconds | 3600 |
sslServer
|
Allows directly specify IP addresses/ports targeted for SSL decryption. | ||
streamfwdcapture
|
Restricts data capture to specified network interfaces | ||
tcpConnectionTimeout
|
Specifies idle time before TCP/UDP flows expire. | seconds | 180 |
tcpServer
|
Defines endpoints for TCP servers | ||
useGlobalSSLSessionKeyCache
|
Enables sharing of SSL cache across processing threads. Set to True to share the SSL cache. | boolean | false |
usePacketMemoryPool
|
When set to True, Stream forwarder uses a pool allocator to allot memory for storing network packets. Because the pool allocator does not release unused memory back to the operating system, setting this parameter to true may result in high memory usage. Set to True only when Stream forwarder is running on a dedicated capture server that processes large traffic volumes. | boolean | false |
Note: For a complete list of streamfwd.conf parameters, see streamfwd.conf.spec in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/README.
Common use case examples
You can refer to these examples to help you use streamfwd.conf to configure some common use cases.
Use tcpServer to specify endpoints
Stream forwarder automatically detects the client and server endpoints when it captures the beginnings of TCP connections. If it starts capturing traffic after establishing a TCP connection, the Stream forwarder assumes that the sender of the first packet it sees is the client.
You can modify this behavior by editing the tcpServer parameter to define the endpoints of specific TCP servers. If the sender for a packet matches the endpoint, Stream forwarder correctly categorizes it as a server response packet.
Example: Define a Single HTTP server endpoint using tcpServer
tcpServer.N.address = 192.168.1.102 tcpServer.N.port = 80
Example: Define a Wildcard endpoint using tcpServer
tcpServer.<N>.address = 192.168.1.0 tcpServer.<N>.addressWildCard = 255.255.255.0 tcpServer.<N>.port = 80
Use the sslServer parameter to specify encrypted/decrypted traffic
Stream forwarder detects endpoint encryption and attempts to decrypt SSL sessions using the available private keys. You can optionally define the traffic as encrypted by adding sslServer parameters.
sslServer.<N>.address = 192.168.1.102 sslServer.<N>.port = 443
Use streamfwdcapture to specify network interfaces
By default, streamfwd.conf listens for traffic on all available network interfaces. Use the streamfwdcapture parameter to restrict data capture to specific interfaces.
The streamfwdcapture parameter supports the following options:
| Parameter | Description |
|---|---|
streamfwdcapture.<N>.interface
|
Specify a network interface name or a path to a PCAP file |
streamfwdcapture.<N>.interfaceRegex
|
Specify a regular expression to match multiple network interfaces |
streamfwdcapture.<N>.offline
|
Set to True to use PCAP. Set to False to inidicate that <Interface> is a network device name. The default value is False. |
streamfwdcapture.<N>.filter
|
Lets you set a BPF (Berkeley Packet Filter) for kernel-level packet filtering. The value of this tag must comply with BPF syntax. Only one Filter variable per streamfwdcapture parameter is supported.
|
streamfwdcapture.<N>.repeat
|
Set to True to play back the PCAP file repeatedly for continuous load. |
streamfwdcapture.<N>.sysTime
|
Set to True to use the system time for packet timestamps instead of actual time timestamps from PCAP file. |
streamfwdcapture.<N>.bitsPerSecond
|
Rate limiter that defaults to 10 Mbps if undefined and <Repeat> is true. |
To restrict data capture to specific network interfaces, add a [streamfwd] stanza to streamfwd.conf. You can use streamfwdcapture parameters to specify multiple network interfaces in a single streamfwd.conf file. For example, to specify two network interfaces - eth0 and eth1 - configured with different BPF filters on *nix:
[streamfwd] streamfwdcapture.0.interface = eth0 streamfwdcapture.0.filter = tcp port 80 streamfwdcapture.1.interface = eth1 streamfwdcapture.1.filter = udp port 53
Specify a network interface on Windows
This example specifies a Windows network interface:
streamfwdcapture.0.interface = \Device\NPF_{D6995D00-B75C-48DB-99AA-69F0150126BC}
streamfwdcapture.0.offline = false
streamfwdcapture.0.filter = tcp port 80
On Windows, you can substitute the streamfwdcapture.<N>.interface or streamfwdcapture.<N>.InterfaceRegex name (such as \Device\NPF_{D6995D00-B75C-48DB-99AA-69F0150126BC}) with the <Alias> or <Description> value returned by the --iflist command line option.
For example, streamfwdcapture.<N>.interface = Local Area Connection 2 or streamfwdcapture.<N>.InterfaceRegex = Local Area.*.
For more information, see "List network interfaces on Windows and Linux" in this manual.
streamfwdcapture examples
Example: Configure streamfwd.conf to include local loopback capture
Stream forwarder by default does not capture traffic that originates and terminates on the same machine. You can enable capture of this "local loopback" traffic using the streamfwdcapture parameter in the configuration file:
streamfwdcapture.<N>.interface = lo0
Note: you cannot use streamfwdcapture.<N>.interfaceRegex> parameter to specify local loopback interfaces.
Example: Configure streamfwd.conf for use across multiple systems
As a best practice, maintain a master copy of streamfwd.conf that you can reuse across multiple systems that have different network device names. The following streamfwd.conf configuration listens on all matching interfaces found. This configuration does not capture local loopback interfaces.
streamfwdcapture.<N>.interfaceRegex = .*
Note that this configuration may generate startup warnings for any devices that do not support passive data capture.
Example: Capture data on specific network interfaces
In this example, on a system with eight network interfaces, streamfwd.conf would listen only for tcp port 80 traffic on only two of those interfaces (four and five):
streamfwdcapture.<N>.interfaceRegex = eth[45] streamfwdcapture.<N>.offline = false streamfwdcapture.<N>.filter = tcp port 80
Example: Use PCAP file instead of a network interface
Use a previously generated PCAP file instead of a network interface,.
streamfwdcapture.<N>.interface = /tmp/data.cap streamfwdcapture.<N>.offline = true streamfwdcapture.<N>.filter = tcp port 80 streamfwdcapture.<N>.repeat = true streamfwdcapture.<N>.sysTime = true streamfwdcapture.<N>.bitsPerSecond = 10000000
For more information on how to ingest PCAP files using the streamfwdcapture parameter, see Ingest pcaps using streamfwd.conf in this manual.
Example: Add streamfwdcapture parameters to streamfwd.conf configuration file
You can add one or more streamfwdcapture parameters to a [streamfwd] stanza to define capture behavior for a particular network interface.
[streamfwd] streamfwdcapture.0.interfaceRegex = eth[45] streamfwdcapture.0.offline = false streamfwdcapture.0.filter = tcp port 80 streamfwdcapture.1.interface = eth0 streamfwdcapture.1.offline = false streamfwdcapture.1.filter = udp port 53
| Configure Stream forwarder | Install an Independent Stream Forwarder |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Download manual
Feedback submitted, thanks!