Install and configure Splunk Forwarder¶
A Splunk Forwarder is required in order to send alerts to the indexer. This component will be installed on the Wazuh manager instance.
Depending on the type of architecture that you’re installing, the Splunk Forwarder is configured differently.
On a single-instance architecture, the forwarder must point to the Splunk Enterprise instance where the Wazuh app was installed.
On a multi-instance architecture, the forwarder must point to the search peers (or indexers).
Download Splunk Forwarder v7.2.1 package from the official website.
Install it with the following commands depending on your operating system:
For RPM based distributions:# yum install splunkforwarder-package.rpm
For DEB based distributions:# dpkg --install splunkforwarder-package.deb
Ensure Splunk Forwarder v7.2.1 is installed in
This section explains how to configure the Splunk Forwarder to send alerts to the Indexer component.
props.conf: In order to consume data inputs, Splunk needs to specify what kind of format will handle.
inputs.conf: The Splunk Forwarder needs this file to read data from an input. In this case, the Wazuh alerts file.
Set up data collection¶
Download and insert the
# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/splunk/props.conf
Download and insert the
# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/splunk/inputs.conf
Set the Wazuh manager hostname:
# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf
Set up data forwarding¶
Point Forwarder output to Wazuh’s Splunk Indexer with the following command:
# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
INDEXER_IPis the IP address of the Splunk Indexer.
INDEXER_PORTis the port of the Splunk Indexer. By default it’s 9997.
Restart Splunk Forwarder service:
# /opt/splunkforwarder/bin/splunk restart
If you get an error message about the port
8089already being in use, you can change it to use a different one.
After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.
Optional. If you additionally want the Splunk Forwarder service to start at boot time, please execute the following command:
# /opt/splunkforwarder/bin/splunk enable boot-start