Command line options for the Independent Stream Forwarder

Independent Stream Forwarder includes command line options that let you identify network interfaces, manage SSL keys, and perform other configuration tasks.

The streamfwd binary is located in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/<OS_arch>/bin or, for independent streamfwd deployment, /opt/streamfwd/bin.

To view all streamfwd command line options, specify the -h option.

streamfwd command line options override the streamfwd.conf configuration file, which by default captures data from all network devices. streamfwd command line options also override any specific capture locations specified by the streamfwdcapture parameter in streamfwd.conf.

Note: You do not need root privileges to run streamfwd commands.

About streamfwd output behavior

The output behavior of the streamfwd command differs depending on whether you are running the streamfwd binary as an independent deployment or as part of Splunk_TA_stream.

  • If you are using an Independent Stream Forwarder streamfwd deployment, the output is sent to indexers by HTTP event collector. See Deploy Independent Stream Forwarder in this manual.
  • If you are using Splunk_TA_stream, the output is sent through localhost:8889 to the Splunk TA for Stream Wire Data, which forwards recieved events along with the events it generates itself. To confirm that the Splunk TA for Stream Wire Data is runnning:
  1. Click on Settings > Data inputs > Wire data.
  2. If the modular input status indicates disabled, click Enable.

Locating streamfwd.conf

streamfwd looks for streamfwd.conf in these directories:

  • For Splunk_TA_stream:
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/default
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local
  • For streamfwd independent deployment:
$STREAMFWD_PATH/default
$STREAMFWD_PATH/local

where $STREAMFWD_PATH is /opt/streamfwd by default.

For information on the correct usage of default and local directories, see About configuration files in the Splunk Enterprise Admin Manual.

Examples

List network interfaces

Use the --iflist option to view all network interfaces on Windows or Linux machines.

For example, on a Windows machine: 

C:\Splunk_Home\etc\apps\Splunk_TA_stream\windows_x86_64\bin>streamfwd.exe --iflist
<Sniffer>
  <Interface>
    <Name>\Device\NPF_{D6995D00-B75C-48DB-99AA-69F0150126BC}</Name>
    <Alias>Local Area Connection</Alias>
    <Description>Intel(R) PRO/1000 MT Network Connection</Description>
  </Interface>
</Sniffer>

Get streamfwd version

Use the --version option to get the current streamfwd version.

For example: 

[root@myserver bin] ./streamfwd --version
streamfwd version 7.0.0 build 99

Get modular input scheme

Use the --scheme option to print the modular input scheme.

For example: 

[root@myserver bin] ./streamfwd --scheme
<scheme><title>Wire data</title><description>Passively capture wire data from network traffic.</description>
<use_external_validation>true</use_external_validation><use_single_instance>true</use_single_instance>
<streaming_mode>xml</streaming_mode><endpoint><args><arg name="splunk_stream_app_location"><title>Splunk App for Stream 
Location</title><description>URI including full path to splunk_app_stream installation (i.e. http://localhost:8000/en-us/custom/splunk_app_stream/)
</description><validation>validate(match('splunk_stream_app_location', '^https?://.+'), 'Location must start with http:// or https://')</validation></arg
<arg name="stream_forwarder_id"><title>Stream Forwarder Identifier</title><description>A string identifier for Stream forwarder</description>
</arg><arg name="sslVerifyServerCert"><title>Verify Server Certificate</title><description>If true, Stream forwarder will make sure that the server 
that its connecting to has a valid SSL certificate. Defaults to false </description><validation>validate(is_bool('sslVerifyServerCert'),'Verify Server 
Certificate must be either true or false')</validation></arg><arg name="rootCA"><title>Root CA File</title><description>The path to the root certificate authority file. This value is used only if Verify Server Certificate is set to true. </description></arg><arg 
name="sslCommonNameToCheck"><title>Common Name of Server Certificate</title><description>By default, Stream forwarder uses host name to 
match the server certificate common name. Override this value to change that behavior. This value is used only if Verify Server Certificate is set to 
true.</description></arg></args></endpoint></scheme>