Install and configure Splunk Forwarder
A Splunk Forwarder is required in order to send alerts to the indexer. This component will be installed on the Wazuh manager instance.
Depending on the type of architecture that you're installing, the Splunk Forwarder is configured differently.
Warning
On a single-instance architecture, the forwarder must point to the Splunk Enterprise instance where the Wazuh app was installed.
On a multi-instance architecture, the forwarder must point to the search peers (or indexers).
Installation process
Download Splunk Forwarder v7.3.0 package from the official website.
Install it with the following commands depending on your operating system:
For RPM based distributions:
# yum install splunkforwarder-package.rpm
For DEB based distributions:
# dpkg --install splunkforwarder-package.deb
Ensure Splunk Forwarder v7.3.0 is installed in
/opt/splunkforwarder
.
Configuration process
This section explains how to configure the Splunk Forwarder to send alerts to the Indexer component.
props.conf
: In order to consume data inputs, Splunk needs to specify what kind of format will handle.inputs.conf
: The Splunk Forwarder needs this file to read data from an input. In this case, the Wazuh alerts file.
Set up data collection
Configuring props
Download and insert the
props.conf
template:# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/splunk/props.conf
Configuring inputs
Download and insert the
inputs.conf
template:# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/splunk/inputs.conf
Set the Wazuh manager hostname:
# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf
Set up data forwarding
Point Forwarder output to Wazuh's Splunk Indexer with the following command:
# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
INDEXER_IP
is the IP address of the Splunk Indexer.INDEXER_PORT
is the port of the Splunk Indexer. By default it's 9997.
Restart Splunk Forwarder service:
# /opt/splunkforwarder/bin/splunk restart
Warning
If you get an error message about the port
8089
already being in use, you can change it to use a different one.After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.
Optional. If you additionally want the Splunk Forwarder service to start at boot time, please execute the following command:
# /opt/splunkforwarder/bin/splunk enable boot-start
Configuring Forwarder in a Splunk cluster
To configure forwarder instance in the cluster first install the splunk forwarder.
Now, it is necessary to configure the 3 most important files in this instance:
inputs.conf: Reads alerts from alerts.json
outputs.conf: This file is for pointing events to certain indexers. It can be a single indexer or a cluster of indexers, in this last case, load balancing has to be configured on it.
props.conf: This file provides format and transforming fields of the data to be indexed.
Starting with inputs.conf, create it and fill it with the next block:
# touch /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = 0
host = MANAGER_HOSTNAME
index = wazuh
sourcetype = wazuh
Now, following with the outputs.conf:
# touch /opt/splunkforwarder/etc/system/local/outputs.conf
And paste this inside:
[indexer_discovery:cluster1]
pass4SymmKey = changeme
master_uri = https://<master_ip>:<port>
[tcpout:cluster1_tcp]
indexerDiscovery = cluster1
[tcpout]
defaultGroup = cluster1_tcp
For the last one, the props.conf, follow the same procedure:
# touch /opt/splunkforwarder/etc/system/local/props.conf
[wazuh]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Application
disabled = false
pulldown_type = true
To save all the changes, restart splunk:
# /opt/splunkforwarder/bin/splunk restart