Hi
Can you help me with some questions?
If I understand, this add-on parsing iptables logs, but first I need to change config of ipatables to log in to separate file?
There is no any inputs.conf or something like it. I don't know how to use this add-on even with documentation.
Assuming you're running splunk(forwarder) on the same box as where you want to capture the iptables logs, you'll need to:
You could split the netfilter (iptables) events into their own file then in the inputs.conf monitor stanza for that file specify the sourcetype of linux:netfilter, but I designed the app so that doing so is not necessary. If you simply ingest the netfilter events mixed with other syslogged events (e.g. /var/log/messages) and that file is ingested with sourcetype "syslog", then the app will automatically change the sourcetype of just the netfilter events to linux:netfilter.
Assuming you're running splunk(forwarder) on the same box as where you want to capture the iptables logs, you'll need to: