Hi,
One of my client has installed the Splunk on AWS - Linux instance (external Test instance). He wants the log file to be monitored through the Splunk Enterprise hosted in our domain. I've made the changes in /splunk/splunkforwarder/inputs.conf file with the source path,host and source type. but my question is how will the data from that external machine (which is not in our domain) will get monitored and indexed in our splunk enterprise environment? How will i achieve it and what additional changes I've to make?
Thanks and Regards,
Shribhagya
You have to edit the outputs.conf on your AWS mashine to tell the forwarder where to send the data.
And enter something like that:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.10.132:9997
[tcpout-server://192.168.10.132:9997]
And you need to enable your Splunk instance to listen on a given port.
You also need to ensure an AWS security group is defined to allow sending of data from the UF to your Splunk indexer(s).
Then make sure your firewall allows connections from the AWS server.
He has installed splunk universal forwarder on that AWS machine and he wants the log file of that machine to be monitored under our Splunk Enterprise.
Please clarify. Has your client installed Splunk Enterprise on AWS or Splunk Universal Forwarder? What log files are you supposed to monitor?