Configure a Splunk forwarder on Linux
Here are the steps to configure a Splunk forwarder installed on Linux to forward data to the Splunk indexer:
From the /opt/splunkforwarder/bin directory, run the sudo ./splunk enable boot-start command to enable Splunk auto-start:
Next, you need to configure the indexer that the forwarder will send its data to. This is done using the ./splunk add forward-server HOST:9997 -auth USERNAME:PASSWORD command, with admin and changeme as the default values for the username and password:
To add the data you would like to consume and send to the indexer, run the sudo ./splunk add monitor LOG -sourcetype SOURCE_TYPE -index NAME. For example, to add the /var/log/syslog file with the sourcetype of linux_logs and store it to the index called remotelogs, we would use the following command:
Restart the forwarder to apply the changes (sudo ./splunk restart). We can run a search to verify that events are indeed being sent: