Willing to install Splunk Forwarder on Ubuntu? Here’s the installation procedure.
Here at Bobcares, we have seen several such Ubuntu related installations as part of our Server Management Services for web hosts and online service providers.
Today we’ll see how to install Splunk forwarder on Ubuntu.
Know more about Splunk Forwarder
Splunk Forwarder is mainly used to send alerts to indexers. Also, they provide reliable, secure data collection from various sources and deliver the data to Splunk Enterprise or Splunk Cloud for indexing and analysis.
One of the most common and popular forwarders is the universal forwarder.
They are centrally managed and don’t require any configuration. However, large Splunk customers deploy thousands of universal forwarders to gather data from servers, applications, and any Windows or Unix-based system.
How to install Splunk Forwarder on Ubuntu
Here are the steps our Support Engineers follow to install Splunk Forwarder.
1. First, download Splunk Forwarder v7.2.1 package from the official URL: https://www.splunk.com/en_us/download/universal-forwarder.html
2. Secondly, install it using the below commands based on your Operating System.
- For RPM-based distributions:
# yum install splunkforwarder-package.rpm
- For DEB based distributions:
# dpkg –install splunkforwarder-package.deb
3. Finally, make sure that Splunk Forwarder v7.2.1 is installed in /opt/splunkforwarder.
Configuring Splunk Forwarder on Ubuntu
Now let’s configure the Splunk Forwarder to send alerts to the Indexer component.
- props.conf: To consume data inputs, Splunk needs to specify what kind of format will handle.
- inputs.conf: To read data from an input, the Splunk Forwarder needs this file. In this case, the Wazuh alerts file.
Set up data collection
Configuring props
1. Download and insert props.conf template.
# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/splunk/props.conf
Configuring inputs
1. Download and insert inputs.conf template.
# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/splunk/inputs.conf
2. Now set the Wazuh manager hostname.
# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf
Set up data forwarding
1. First, run the below command to point the Forwarder output to Wazuh’s Splunk Indexer.
# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
2. Now, restart the Splunk Forwarder service.
# /opt/splunkforwarder/bin/splunk restart
Note: In case, if you receive an error about port 8089 already being in use then you can change it to use a different one.
Once the installation of the Splunk Forwarder completes, incoming data should appear in the designated Indexer.
3. In case, if you want the Splunk Forwarder service to start at boot time then execute the below command (This is optional).
# /opt/splunkforwarder/bin/splunk enable boot-start
[Need any further assistance with Ubuntu queries? – We are here to help you.]
Conclusion
In short, to install Splunk Forwarder on ubuntu first, download Splunk Forwarder v7.2.1 package from the official URL and then run the installation command. Today, we saw how our Support Engineers install Splunk forwarder on Ubuntu
0 Comments