Configuration

This is a step-by-step guide on configuring the Splunk Universal Forwarder on a Linux machine to forward logs.

Configuring Splunk Universal Forwarder on a Linux Machine

To configure the Universal Forwarder to forward logs from Cloud Suite Syslog to Splunk over a secure connection, follow these steps:

1. Enable Splunk Forwarder:

   1. Open a terminal on your Linux machine.

   2. Navigate to the Splunk forwarder directory by running the following command: cd /opt/splunkforwarder/bin

   3. Accept the license agreement and start the Splunk service: sudo ./splunk start --accept-license

   4. To enable Splunk to start automatically when the system boots, run the following command: sudo ./splunk enable boot-start

2. Forward data to the Splunk server by running the following command to add the Splunk indexer or receiver details:

sudo ./splunk add forward-server <indexer-host>:<port>

Replace <indexer-host> with the IP or hostname of your Splunk server, and <port> with the port used for receiving data (default: 9997).



3. Monitor the /var/log/messages file (the default syslog file for RHEL) by running the following command:

sudo ./splunk add monitor /var/log/messages

This is the messages file (RHEL syslog log location)



4. After adding the input, run the following command to restart the Splunk Universal Forwarder to apply the changes:

sudo . /splunk restart