Splunk Universal Forwarder to DataBee
- 06 Jun 2024
- 2 Minutes to read
- Contributors
- Print
- DarkLight
Splunk Universal Forwarder to DataBee
- Updated on 06 Jun 2024
- 2 Minutes to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
The following deployment architecture diagram shows how logs can be forwarded from a log source to DataBee using Splunk Universal Forwarder (UF) or Splunk Heavy Forwarder (HF).
Prerequisites
Splunk Forwarder (UF/HF)
DataBee Data Collector (Configure a TCP feed)
DataBee UI Access
Splunk Configurations
Please reach out to your Splunk Admin to configure sending logs from Splunk Forwarder (UF/HF) to the data collector. Ref: Forward data to third-party systems.
Note
This will also forward Splunk internal logs. You can optionally disable it with the help of your Splunk Admin.
Example
The following example illustrates the method for sending logs from a data source (such as ISC Bind) to Splunk using UF/HF and outlines the general procedure for disabling Splunk's internal logging before sending logs to DataBee via data collector.
The steps mentioned below are the same (unless explicitly stated otherwise) for users who want to use Splunk HF instead of UF.
Step 1: Receiving data on Splunk
Configure the data source (Refer to the relevant vendor documentation) to send data to Splunk Forwarder on one of the open ports.
On your Splunk environment:
Set the input stanza in $SPLUNK_HOME/etc/system/local/inputs.conf (in case you’re using Splunk UF) and $SPLUNK_HOME/etc/apps/search/local/input.conf (in case you’re using Splunk HF) to receive data sent from the configured data source.
Alternatively, for Splunk HF, you can configure receiving from Splunk Web (UI) also. Ref: Configure receiving from the UI.
Create the input.conf file, if it is not present in any of the above-mentioned locations.
For example, the below stanza receives the data from the configured data source on port 8000 using TCP or UDP protocol.
[tcp:8000] disabled = false
Step 2: Disabling Splunk internal logs
Locate the inputs.conf file, which is usually found in $SPLUNK_HOME/etc/system/local/ or $SPLUNK_HOME/etc/apps/<app-name>/local/. You can comment out or remove the stanzas related to Splunk's internal logs. These might look like:
[monitor://$SPLUNK_HOME/var/log/splunk] disabled = trueIn this example, setting disabled = true will stop the Splunk forwarder (UF/HF) from monitoring and forwarding its log files.
Similarly, check outputs.conf for any configurations that are forwarding to third-party systems and adjust them accordingly.
Step 3: Sending data to the Data Collector
Before configuring the Splunk environment, create a collector and configure a TCP data source for your desired product on DataBee. Install the data collector on your system with the desired port (Make sure the port is open to receive the data).
On your Splunk environment:
Copy the certificates from the data collector and place them under the following path: $SPLUNK_HOME/etc/auth/crl/. Note that only pem-formatted certificates are supported.
Configure the output stanza in $SPLUNK_HOME/etc/system/local/outputs.conf to forward data from Splunk Forwarder (UF/HF) to the TCP data source configured on the Data Collector. Ref: Splunk Docs | Configure forwarders with outputs.conf
For example, the below configuration sends the data to the system with IP/hostname 10.50.6.144 with port 6666 configured to receive data using the data collector.
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 10.50.6.144:6666 sendCookedData = false useSSL = true sslVerifyServerCert = true sslRootCAPath = $SPLUNK_HOME/etc/auth/crl/ca_cert.pem [tcpout-server://10.50.6.144:6666]
Restart Splunk.
$SPLUNK_HOME/bin/splunk restart
Please reach out to your Splunk Admin for any support.
Was this article helpful?