Getting Data In

Universal Forwarder Setup

attgjh1
Communicator

ive installed the Universal Forwarder on another PC (lets call it forwarder pc) and am attempting to forward some data to another PC (deployment server) as part of an experimental test.

however, after doing the 7 step set up (i skipped the part of naming directory), is there another way to make it start forwarding data.

my questions are as follows:

A. since its a forwarder, i have to edit outputs.conf from the Forwarder PC. I've read through the link below but its pretty confusing. is it the same as doing setting for inputs.conf?
http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/Outputsconf

B. Similarly, once ive finished the settings for above qn, how do i reset it for it to take effect? im pretty unclear as im used to websplunk. Likewise, for the "deployment PC", do i need to configure anything to receive it?

C. I read about configuring the receiver first before doing forwarding. but am somehow confused with the settings for the respective .conf files.

Hopefully some of you folks here can enlighten me.

Some "nt sure if relevant" details:

Forwarder: to forward different kinds of logs from various directories.
Im sure there is something i need to do for inputs.conf so i can monitor and index them properly but am unsure how to do it. (i have only tested with local logs before)

lemme know if you need more details!

Tags (2)
0 Karma

jbsplunk
Splunk Employee
Splunk Employee

A. No, it isn't the same as doing the settings for inputs.conf. There is a different syntax use required. An example is:

[tcpout]
defaultGroup=idx1

[tcpout:idx1]
server=hostname:9997

For more examples:

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

B. Once you set up outputs, you can restart the instance.

C. To setup a receiver, you can edit the inputs.conf file on your indexer with a stanza like this:

[splunktcp://9997]

For details on configuring forwarder inputs, which in reality are NO different than inputs on an indexer, see the spec file, it has examples:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

I_am_Jeff
Communicator

A couple examples from my 4.2.3 forwarder. I actually have six indexers, but just listed spots for two to save me from wordwraping in the comment.

outputs.conf

[tcpout]

defaultGroup = sid_9997

disabled = false

[tcpout:sid_9997]

server = hostname:9997,ipaddress:9997

inputs.conf

[default]

index = main

[monitor:///var/log/messages]

disabled = false

[monitor:///var/log/test]

disabled = false

index = 15dayhold

sourcetype = test

0 Karma