Linux (Ubuntu / CentOS) mounted splunkforwarder steps:
splunkforwarder client log splunk forwarding tools:
Download website (download the tar package):
https://www.splunk.com/en_us/download/universal-forwarder.html
splunk server receiving port to open (set - forwarding and receiving - configured to receive - New --9997)
Client:
installation:
tar zxfv splunkforwarder-7.3.0-657388c7a488-Linux-x86_64.tgz -C /opt/
Start splunkforwarder:
/opt/splunkforwarder/bin/splunk enable boot-start
Enter, enter y 100% after the
account name: splunk (need to have a managed account at startup)
Password: xxxxx
service splunk start
/opt/splunkforwarder/bin/splunk set deploy-poll ip:8089
Enter the account password above
/ Opt / splunkforwarder / bin / splunk add forward-server ip: 9997 (ip as splunk server ip)
View incoming server:
/opt/splunkforwarder/bin/splunk list forward-server
Add to collect items:
/opt/splunkforwarder/bin/splunk add monitor /var/log/mysql/error.log
/opt/splunkforwarder/bin/splunk add monitor /var/log/httpd/error_log
You can also modify the file directly to the following:
/opt/splunkforwarder/etc/apps/search/local/inputs.conf
Restart the service:
service splunk restart
To splunk server - Settings - Repeater Management - to see the client is connected