Splunk Forwarder configuration

This section explains how to configure the Splunk Forwarder to send alerts to the Indexer component.

  • inputs.conf : The Forwarder needs this file to read data from an input.

  • props.conf : In order to consume data inputs, Splunk needs to specify what kind of format will handle.

Set up data collection

Configuring props

  1. Download and insert the props.conf template:

# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/splunk/props.conf

Configuring inputs

  1. Download and insert the inputs.conf template:

    # curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/splunk/inputs.conf

  2. Set the Wazuh manager hostname:

# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf

Set up data forwarding

  1. Point Forwarder output to Wazuh’s Indexer with the following command:

# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>

  • INDEXER_IP: Splunk Indexer location.

  • INDEXER_PORT: by default on port 9997.

  1. Restart Splunk Forwarder service:

# /opt/splunkforwarder/bin/splunk restart

After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.

  1. Optional. If you additionally want the Splunk Forwarder service to start at boot time, please execute the following command:

# /opt/splunkforwarder/bin/splunk enable boot-start