Splunk Stream

Installation and Configuration Manual

Configure Forwarder Parameters in streamfwd.conf

Edit streamfwd.conf to specify system-level parameters for your Stream forwarders. You can configure streamfwd.conf to:

  • listen on specific IP addresses and ports
  • enable SSL
  • redirect log files
  • collect network events
  • specify network interfaces

You can edit streamfwd.conf in:

  • Splunk Add-on for Stream Forwarder, which is located at $SPLUNK_HOME/etc/apps/Splunk_TA_stream/default/
  • Independent Stream Forwarders, which is located at /opt/streamfwd/default/.

Streamfwd.conf parameters

streamfwd.conf configuration file accepts these parameters.

Parameter Description Value type Default value
clientIpSslHashBytes Defines the number of client IP octets to use for SSL processor thread hash algorithm. The minimum value = 0; The maximum value = 4. Applies only if you have _disabled_ useGlobalSSLSessionKeyCache client IP octets 2
dedicatedCaptureMode Enables dedicated capture mode, which provides support for 10Gbps capture on compatible network interfaces. To enable dedicated capture mode, add dedicatedCaptureMode = 1 to streamfwd.conf boolean 0 (false)
duplicatePacketWindow Uses a rolling window to define the number of packets cached in memory. Set this to a value greater than zero to enable automatic de-duplication of network packets. packets cached in-memory 0
hideCreditCardNumbers Masks credit card numbers. Set to false to show all credit card numbers. boolean true
mapSslServers Set to False to disable automatic caching of SSL server certificates to corresponding server's IP addresses. boolean true
maxEventQueueSize Specifies the maximum number of events queued for delivery to Splunk. events 10000
maxFieldSize Defines maximum size of content field. bytes 10240
maxPacketQueueSize Defines maximum size for each processing threads' packet queue. Must be a power of 2 for dedicated capture mode. packets 262144
maxTcpReassemblyPacketCount Specifies the maximum number of TCP packets in reassembly queue per processing thread. TCP packets 500000
maxTcpSessionCount Specifies the maximum number of concurrent TCP/UDP flows per processing thread. TCP/UDP flows 50000
pcapBufferSize Specifies the buffer size for each network device. Increase the number of bytes if you see dropped packets. bytes 33554432
pingInterval Modifies the ping server interval. seconds 5
processingThreads Specifies the number of threads to use for processing network traffic. threads 2
sessionKeyTimeout Specifies idle time before SSL session keys expire. seconds 3600
sslServer Allows directly specify IP addresses/ports targeted for SSL decryption.
streamfwdcapture Restricts data capture to specified network interfaces
tcpConnectionTimeout Specifies idle time before TCP/UDP flows expire. seconds 180
tcpServer Defines endpoints for TCP servers
useGlobalSSLSessionKeyCache Enables sharing of SSL cache across processing threads. Set to True to share the SSL cache. boolean false
usePacketMemoryPool When set to True, Stream forwarder uses a pool allocator to allot memory for storing network packets. Because the pool allocator does not release unused memory back to the operating system, setting this parameter to true may result in high memory usage. Set to True only when Stream forwarder is running on a dedicated capture server that processes large traffic volumes. boolean false
useSystemCallForTime When Stream Forwarder is run in dedicated capture mode, determines whether to time stamp packets using system call. The default behavior is to use DPDK functions to time stamp packets. To use system call for time stamping packets, set this attribute to true. <boolean> false

Note: For a complete list of streamfwd.conf parameters, see streamfwd.conf.spec in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/README.

Common use case examples

You can refer to these examples to help you use streamfwd.conf to configure some common use cases.

Use tcpServer to specify endpoints

Stream forwarder automatically detects the client and server endpoints when it captures the beginnings of TCP connections. If it starts capturing traffic after establishing a TCP connection, the Stream forwarder assumes that the sender of the first packet it sees is the client.

You can modify this behavior by editing the tcpServer parameter to define the endpoints of specific TCP servers. If the sender for a packet matches the endpoint, Stream forwarder correctly categorizes it as a server response packet.

Example: Define a Single HTTP server endpoint using tcpServer

tcpServer.N.address = 192.168.1.102
tcpServer.N.port = 80

Example: Define a Wildcard endpoint using tcpServer

tcpServer.<N>.address = 192.168.1.0
tcpServer.<N>.addressWildCard = 255.255.255.0
tcpServer.<N>.port = 80

Use the sslServer parameter to specify encrypted/decrypted traffic

Stream forwarder detects endpoint encryption and attempts to decrypt SSL sessions using the available private keys. You can optionally define the traffic as encrypted by adding sslServer parameters.

sslServer.<N>.address = 192.168.1.102
sslServer.<N>.port = 443

Use streamfwdcapture to specify network interfaces

By default, streamfwd.conf listens for traffic on all available network interfaces. Use the streamfwdcapture parameter to restrict data capture to specific interfaces.

The streamfwdcapture parameter supports the following options:

Parameter Description
streamfwdcapture.<N>.interface Specify a network interface name or a path to a PCAP file
streamfwdcapture.<N>.interfaceRegex Specify a regular expression to match multiple network interfaces
streamfwdcapture.<N>.offline Set to True to use PCAP. Set to False to inidicate that <Interface> is a network device name. The default value is False.
streamfwdcapture.<N>.filter Lets you set a BPF (Berkeley Packet Filter) for kernel-level packet filtering. The value of this tag must comply with BPF syntax. Only one Filter variable per streamfwdcapture parameter is supported.
streamfwdcapture.<N>.repeat Set to True to play back the PCAP file repeatedly for continuous load.
streamfwdcapture.<N>.sysTime Set to True to use the system time for packet timestamps instead of actual time timestamps from PCAP file.
streamfwdcapture.<N>.bitsPerSecond Rate limiter that defaults to 10 Mbps if undefined and <Repeat> is true.

To restrict data capture to specific network interfaces, add a [streamfwd] stanza to streamfwd.conf. You can use streamfwdcatpure parameters to specify multiple network interfaces in a single streamfwd.conf file. For example, to specify two network interfaces - eth0 and eth1 - configured with different BPF filters on *nix:

[streamfwd]
streamfwdcapture.0.interface = eth0
streamfwdcapture.0.filter = tcp port 80
streamfwdcapture.1.interface = eth1
streamfwdcapture.1.filter = udp port 53

Specify a network interface on Windows

This example specifies a Windows network interface:

streamfwdcapture.0.interface = \Device\NPF_{D6995D00-B75C-48DB-99AA-69F0150126BC}
streamfwdcapture.0.offline = false
streamfwdcapture.0.filter = tcp port 80

On Windows, you can substitute the streamfwdcapture.<N>.interface or streamfwdcapture.<N>.InterfaceRegex name (such as \Device\NPF_{D6995D00-B75C-48DB-99AA-69F0150126BC}) with the <Alias> or <Description> value returned by the --iflist command line option.

For example, streamfwdcapture.<N>.interface = Local Area Connection 2 or streamfwdcapture.<N>.InterfaceRegex = Local Area.*.

For more information, see "List network interfaces on Windows and Linux" in this manual.

streamfwdcapture examples

Example: Configure streamfwd.conf to include local loopback capture

Stream forwarder by default does not capture traffic that originates and terminates on the same machine. You can enable capture of this "local loopback" traffic using the streamfwdcapture parameter in the configuration file:

   streamfwdcapture.<N>.interface = lo0

Note: you cannot use streamfwdcapture.<N>.interfaceRegex> parameter to specify local loopback interfaces.

Example: Configure streamfwd.conf for use across multiple systems

As a best practice, maintain a master copy of streamfwd.conf that you can reuse across multiple systems that have different network device names. The following streamfwd.conf configuration listens on all matching interfaces found. This configuration does not capture local loopback interfaces.

streamfwdcapture.<N>.interfaceRegex = .*

Note that this configuration may generate startup warnings for any devices that do not support passive data capture.

Example: Capture data on specific network interfaces

In this example, on a system with eight network interfaces, streamfwd.conf would listen only for tcp port 80 traffic on only two of those interfaces (four and five):

streamfwdcapture.<N>.interfaceRegex = eth[45]
streamfwdcapture.<N>.offline = false
streamfwdcapture.<N>.filter = tcp port 80

Example: Use PCAP file instead of a network interface

Use a previously generated PCAP file instead of a network interface,.

streamfwdcapture.<N>.interface = /tmp/data.cap
streamfwdcapture.<N>.offline = true
streamfwdcapture.<N>.filter = tcp port 80
streamfwdcapture.<N>.repeat = true
streamfwdcapture.<N>.sysTime = true
streamfwdcapture.<N>.bitsPerSecond = 10000000

For more information on how to ingest PCAP files using the streamfwdcapture parameter, see Ingest pcaps using streamfwd.conf in this manual.

Example: Add streamfwdcapture parameters to streamfwd.conf configuration file

You can add one or more streamfwdcapture parameters to a [streamfwd] stanza to define capture behavior for a particular network interface.

[streamfwd]
streamfwdcapture.0.interfaceRegex = eth[45]
streamfwdcapture.0.offline = false
streamfwdcapture.0.filter = tcp port 80
streamfwdcapture.1.interface = eth0
streamfwdcapture.1.offline = false
streamfwdcapture.1.filter = udp port 53
Last modified on 07 June, 2024
Configure Stream forwarder   Install an Independent Stream Forwarder

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters