Splunk Forwarder configuration

This section explains how to configure the Splunk Forwarder to send alerts to the Indexer component.

  • inputs.conf : The Forwarder needs this file to read data from an input.
  • props.conf : In order to consume data inputs, Splunk needs to specify what kind of format will handle.

Set up data collection

Configuring inputs

  1. Download and insert the props.conf template:
# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.3/extensions/splunk/props.conf

Configuring props

  1. Download and insert the inputs.conf template:

    # curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.3/extensions/splunk/inputs.conf
    
  2. Set the Wazuh manager hostname:

# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf

Set up data forwarding

  1. Point Forwarder output to Wazuh’s Indexer with the following command:
../../_images/simple-distributed-arch.png
# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
  • INDEXER_IP: Splunk Indexer location.
  • INDEXER_PORT: by default on port 9997.
  1. Restart Splunk Forwarder service:
# /opt/splunkforwarder/bin/splunk restart

After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.