Install the Splunk Add-on for Stream Forwarder
Use the Deployment server to push Splunk Add-on for Stream Forwarder to all of your forwarders. You can also install Splunk Add-on for Stream Forwarder on individual forwarders.
To install a independent Stream Forwarder, see Install the Independent Stream Forwarder.
If you want to upgrade a forwarder to 7.3 or later, see Migrate Splunk Stream in a distributed deployment.
To configure your forwarders, see Configure your Splunk Stream forwarders
Secure your capabilities
In Splunk Universal forwarder 9.0.1 and later, the capability roles for the forwarder access the forwarder have been reduced to one capabilities:
- CAP_DAC_READ_SEARCH
However, Splunk Stream 8.1 and later still needs the CAP_NET_ADMIN and CAP_NET_RAW capabilities . You must specify these capabilities in the Splunk universal forwarder systemd service unit file.
To change the Splunk Universal forwarder systemd service unit file to add the additional capabilities needed for Stream:
- Locate of Splunk Universal forwarder systemd service unit file using the following command:
$SPLUNK_HOME/bin/splunk display boot-start- If you haven't enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at
/lib/systemd/system/SplunkForwarder.service. - If you have enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at
/etc/systemd/system/SplunkForwarder.service
- If you haven't enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at
- Edit Splunk Universal forwarder systemd service unit file and edit the line:
AmbientCapabilities=CAP_DAC_READ_SEARCHTo:CAP_NET_ADMIN and CAP_NET_RAW AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW - Reload the systemd daemon for the unit file change to take effect:
sudo systemctl daemon-reload - Restart the Splunk universal forwarder:
sudo $SPLUNK_HOME/bin/splunk restart
Use the deployment server to distribute Splunk Add-on for Stream Forwarders to universal forwarders
- Go to http://splunkbase.com/app/5238.
- Click Download. The
Splunk_TA_stream_<latest_version>.tgzinstallation package downloads to your local host. - Log into Splunk Web.
- Click Manage Apps > Install app from file.
- Upload the
Splunk_TA_stream_<latest_version>.tgzinstaller file. - Restart Splunk Enterprise, if prompted.
This installs the
Splunk_TA_streamin the$SPLUNK_HOME/etc/appsdirectory. This is a pre-configured copy ofSplunk_TA_streamthat you can deploy to universal forwarders using the deployment server. - Set
Splunk_TA_streampermissions: On Linux and OSX, run theset_permissions.shscript in theSplunk_TA_streamdirectory.cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh
To configure your forwarders, see Configure your Splunk Stream forwarders
Manually install the Splunk Add-on for Stream Forwarders on Splunk forwarders
To collect network data from one or more forwarders without using a deployment server, manually install Splunk_TA_stream on each forwarder.
- Go to http://splunkbase.com/app/5238 and download the latest installation package to
$SPLUNK_HOME/etc/appson the Universal Forwarder - Untar the package to
$SPLUNK_HOME/etc/apps - Verify that
Splunk_TA_stream/local/inputs.confspecifies the correct location ofsplunk_app_stream.[streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0 - Verify that
Splunk_TA_stream/local/streamfwd.confis configured to collect data from the network interface. By default,streamfwd.confcollects data from all network interfaces. - Set
Splunk_TA_streampermissions: On Linux and OSX, run theset_permissions.shscript in theSplunk_TA_streamdirectory.cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh - Restart Splunk Enterprise.