- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I configure a UF on Linux to receive and fo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to configure a Linux based UF to receive Windows events and then forwarder those to the indexers. I am guessing that there is a
inputs.conf and outputs.conf needing to be configured.
Just not sure how to configure these stanza's, mostly inputs.conf.
This would receive events from windows server in a webzone, so we only need to open the firewall for the UF.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And how exactly did you envision that windows server sending the logs to the Linux UF?
Unless you also put Splunk on the windows box (or use some sub-optimal solution with an agent like Snare) I don't really see how you are going to accomplish that.
Assuming you have Splunk on the windows box as well and the Linux UF just acts as an intermediate forwarder, it should be as simple as enabling a splunktcp input on the UF and setting the correct output config to send to your indexers.
What exactly are you not sure about?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And how exactly did you envision that windows server sending the logs to the Linux UF?
Unless you also put Splunk on the windows box (or use some sub-optimal solution with an agent like Snare) I don't really see how you are going to accomplish that.
Assuming you have Splunk on the windows box as well and the Linux UF just acts as an intermediate forwarder, it should be as simple as enabling a splunktcp input on the UF and setting the correct output config to send to your indexers.
What exactly are you not sure about?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure on how to setup the tcp input, to accept events from 300 windows servers. Windows servers will be running windows SPLUNK UF.
should the input just look for the Windows UF port?
Which would be?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Technically you can use whatever port you want. Just as long as the outputs.conf on the windows UFs is using the same port as the splunktcp input (so not a normal TCP input) on your Linux UF intermediate forwarder. In general I guess 9997 is typically used for this.
See also the documentation on how to set up forwarding (basically this is no different from setting up forwarding from a forwarder to an indexer, just that you have one more splunk instance in between, that receives and then also sends it again).
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata
specifically: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Configureanintermediateforwarder
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You!
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
