Splunk Forwarder configuration
This section explains how to configure the Splunk Forwarder to send alerts to the Indexer component.
inputs.conf : The Forwarder needs this file to read data from an input.
props.conf : In order to consume data inputs, Splunk needs to specify what kind of format will handle.
Set up data collection
Configuring props
Download and insert the
props.conf
template:
# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/splunk/props.conf
Configuring inputs
Download and insert the
inputs.conf
template:# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/splunk/inputs.conf
Set the Wazuh manager hostname:
# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf
Set up data forwarding
Point Forwarder output to Wazuh's Indexer with the following command:
# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
INDEXER_IP
: Splunk Indexer location.
INDEXER_PORT
: by default on port 9997.
Restart Splunk Forwarder service:
# /opt/splunkforwarder/bin/splunk restart
After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.
Optional. If you additionally want the Splunk Forwarder service to start at boot time, please execute the following command:
# /opt/splunkforwarder/bin/splunk enable boot-start