Splunk Forwarder configuration
This section explains how to configure the Splunk Forwarder to send alerts to the Indexer component.
inputs.conf : The Forwarder needs this file to read data from an input.
props.conf : In order to consume data inputs, Splunk needs to specify what kind of format will handle.
Set up data collection
Configuring inputs
Download and insert the
props.conftemplate:
# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/splunk/props.conf
Configuring props
Download and insert the
inputs.conftemplate:# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/splunk/inputs.conf
Set the Wazuh manager hostname:
# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf
Set up data forwarding
Point Forwarder output to Wazuh's Indexer with the following command:
# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
INDEXER_IP: Splunk Indexer location.
INDEXER_PORT: by default on port 9997.
Restart Splunk Forwarder service:
# /opt/splunkforwarder/bin/splunk restart
After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.