Manually collect logs from a *nix host in ITE Work

You can manually set up a universal forwarder to collect logs from a *nix host. Manually configure log collection for a host when you meet at least one of these conditions:

  • You're collecting data from a host on a closed network with no internet access.
  • You already installed a universal forwarder on the host.
  • You don't have trusted URLs you can download the required packages from.

If you also want to collect metrics data from a Linux host, see Manually collect metrics from a *nix host in ITE Work.

Prerequisites

Requirement Description
*nix host *nix integration operating system support
Administrator role

In Splunk Enterprise, you have to be a user with the admin role.

In Splunk Cloud Platform, you have to be a user with the sc_admin role.

Steps

Follow these steps to install a universal forwarder on a host and configure log collection.

1. Install the universal forwarder

Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a *nix universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

2. Configure inputs.conf on the universal forwarder

Configure the inputs.conf on the universal forwarder file to monitor files and directories from your host in ITE Work.

  1. Create the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory if it doesn't already exist.
  2. Create inputs.conf if it doesn't already exist.
  3. Open inputs.conf with a text editor.
  4. Add these stanzas to configure the host and receiving port: 
    host = <monitoring_machine>

tcp://<receiver_port>
    Setting Description
    monitoring_machineThe hostname or IP address of the Splunk Enterprise instance you want to send log data to.
    receiver_portThe port that your Splunk platform deployment uses to receive data.
  5. Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In guide.
  6. (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For example, this stanza monitors a syslog file at /var/log/syslog: 
    [monitor:///var/log/syslog]
disabled = false
sourcetype = syslog
    Configuration settings in the Splunk Enterprise Getting Data in guide and inputs.conf in the Splunk Enterprise Admin Manual.
  7. Save and close the inputs.conf file.
  8. Restart splunkd. If you also need to configure outputs.conf in the next step, you can wait to restart splunkd until after you've configured outputs.conf as well. 
    $SPLUNK_HOME/bin/splunk restart

3. Configure outputs.conf on the universal forwarder

Configure outputs.conf on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment.

  1. Go to the ${SPLUNK_HOME}/etc/apps/splunk_app_infra_uf_config/local directory.
  2. Open outputs.conf with a text editor.
  3. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
  4. Save and close outputs.conf.
  5. Restart splunkd. 
    $SPLUNK_HOME/bin/splunk restart

Example inputs.conf for a universal forwarder

[monitor:///var/log/syslog]
disabled = false
sourcetype = syslog

[monitor:///var/log/daemon.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/auth.log]
disabled = false
sourcetype = syslog

[monitor:///var/log/apache/access.log]
disabled = false
sourcetype = combined_access

[monitor:///var/log/apache/error.log]
disabled = false
sourcetype = combined_access

[monitor:///opt/splunkforwarder/var/log/splunk/*.log]
disabled = false
index = _internal

[monitor:///etc/collectd/collectd.log]
disabled = false
index = _internal

Example outputs.conf for a universal forwarder

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = <monitoring_machine>:<receiver_port>
Setting Description
monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
receiver_port The port that your Splunk platform deployment uses to receive data.