Configure a Splunk forwarder on Linux

Here are the steps to configure a Splunk forwarder installed on Linux to forward data to the Splunk indexer:

From the /opt/splunkforwarder/bin directory, run the sudo ./splunk enable boot-start command to enable Splunk auto-start:

splunk enable boot start

Next, you need to configure the indexer that the forwarder will send its data to. This is done using the ./splunk add forward-server HOST:9997 -auth USERNAME:PASSWORD command, with admin and changeme as the default values for the username and password:

splunk forwarder linux add indexer

To add the data you would like to consume and send to the indexer, run the sudo ./splunk add monitor LOG -sourcetype SOURCE_TYPE -index NAME. For example, to add the /var/log/syslog file with the sourcetype of linux_logs and store it to the index called remotelogs, we would use the following command:

splunk forwarder linux add data

Restart the forwarder to apply the changes (sudo ./splunk restart). We can run a search to verify that events are indeed being sent:

splunk forwarder linux verify data

Geek University 2022