Install and configure Splunk Forwarder

A Splunk Forwarder is required in order to send alerts to the indexer. This component will be installed on the Wazuh manager instance.

Depending on the type of architecture that you're installing, the Splunk Forwarder is configured differently.

Warning

  • On a single-instance architecture, the forwarder must point to the Splunk Enterprise instance where the Wazuh app was installed.

  • On a multi-instance architecture, the forwarder must point to the search peers (or indexers).

Installation process

  1. Download Splunk Forwarder v7.2.1 package from the official website.

  2. Install it with the following commands depending on your operating system:

  1. For RPM based distributions:

# yum install splunkforwarder-package.rpm
  1. For DEB based distributions:

# dpkg --install splunkforwarder-package.deb
  1. Ensure Splunk Forwarder v7.2.1 is installed in /opt/splunkforwarder.

Configuration process

This section explains how to configure the Splunk Forwarder to send alerts to the Indexer component.

  • props.conf : In order to consume data inputs, Splunk needs to specify what kind of format will handle.

  • inputs.conf : The Splunk Forwarder needs this file to read data from an input. In this case, the Wazuh alerts file.

Set up data collection

Configuring props

  1. Download and insert the props.conf template:

# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/splunk/props.conf

Configuring inputs

  1. Download and insert the inputs.conf template:

# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/splunk/inputs.conf
  1. Set the Wazuh manager hostname:

# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf

Set up data forwarding

  1. Point Forwarder output to Wazuh's Splunk Indexer with the following command:

# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
  • INDEXER_IP is the IP address of the Splunk Indexer.

  • INDEXER_PORT is the port of the Splunk Indexer. By default it's 9997.

  1. Restart Splunk Forwarder service:

# /opt/splunkforwarder/bin/splunk restart

Warning

If you get an error message about the port 8089 already being in use, you can change it to use a different one.

After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.

  1. Optional. If you additionally want the Splunk Forwarder service to start at boot time, please execute the following command:

# /opt/splunkforwarder/bin/splunk enable boot-start