Splunk – howto configure a RHEL6 host to send data to Spunk and to use the Splunk TA for Unix and Linux

I did this.

On Splunk server (receiver) Download/install Splunk TA for Unix and Linux to the Splunk server (receiver) and enabled it by going to Manager|Apps|Enable

On host you want to collect data from (sender) Download and install the Splunk Universal Forwarder to the Linux host – the assumption is made that this configured and sending data to Splunk, in brief it consisted of the following for RHEL6

Install rpm -ivh splunkforwarder-4.3.3-128297-linux-2.6-x86_64.rpm

Create init.d start-up script /opt/splunkforwarder/bin/splunk enable boot-start

Enable start-up at boot chkconfig splunk on

Open firewall port tcp 9997 iptables -I INPUT 4 -p tcp –dport 9997 -j ACCEPT

Copy the default inputs.conf file from $SPLUNK_HOME/splunkforwarder/etc/system/default to $SPLUNK_HOME/splunkforwarder/etc/system/local, check UID/GUIDs are splunk:splunk

Next edit the inputs.conf file located in $SPLUNK_HOME/splunkforwarder/etc/system/local to get something basic set-up.

[default] host = mysender.local

[monitor:///var/log/secure]

disabled = false

Start the splunkforwarder service start splunk or /etc/init.d/splunk start

Tell Splunk that it now has a new sender /opt/splunkforwarder/bin/splunk add forward-server mysender.local:9997

You should be getting data in Splunk now.

Now download and manually install Splunk Technology Add-on (TA) for Unix and Linux onto the host to collect data from (sender), it will end up here: $SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix

Copy the default inputs.conf file from $SPLUNK_HOME/splunkforwarder/etc/Splunk_TA_nix/default/inputs.conf to $SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/local/

I had to create the “local” directory, also check UID/GUIDs are splunk:splunk

cp /opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/

Next edit the inputs.conf file located in /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/ and enable items you wish to monitor by setting the “disabled” attribute to “false” and then restart splunkforwarder.

Advertisements

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s