Options for Splunk Forwarder

432 views
Skip to first unread message

C. L. Martinez

unread,
May 19, 2018, 7:03:05 AM5/19/18
to wa...@googlegroups.com
Hi all,

I would like to do some tests using Splunk as a backend insted of ELK, but configuration's link howto seems broken:

https://documentation.wazuh.com/current/installation-guide/installing-splunk/index.htm redirects to https://documentation.wazuh.com/current/not_found.html.

My Question: what options do I need to configure in inputs.conf on Splunk forwarder to send alerts.json from wazuh manager?

Thanks
--
Greetings,
C. L. Martinez

Manuel Jiménez

unread,
May 19, 2018, 8:15:08 AM5/19/18
to C. L. Martinez, wa...@googlegroups.com

Hi C.L. Martinez,

The Splunk guide in Wazuh official documentation is being improved and is under maintenance so it’s currently down. I’d like to apologize for this inconvenience.
You can follow these steps in order to set your forwarder up:

  1. You must install Splunk Forwarder on your Wazuh Manager.
  2. Go to $SPLUNK_HOME/etc/system/local.

  3. Edit the file inputs.conf. If it doesn’t exist, create it:

     [monitor:///var/ossec/logs/alerts/alerts.json]
 disabled = 0
 host = wazuhmanager
 index = wazuh
 sourcetype = wazuh
    • host = wazuhmanager, hostname of Wazuh Manager.
    • index = wazuh, index by default to store alerts.
    • sourcetype = wazuh sourcetype by default to alerts received.

  4. Edit the file and add the following stanza on props.conf. If it doesn’t exist, create it:

     [wazuh]
 DATETIME_CONFIG = 
 INDEXED_EXTRACTIONS = json
 KV_MODE = none
 NO_BINARY_CHECK = true
 category = Application
 disabled = false
 pulldown_type = true

  5. Point the output to the Wazuh’s Indexer (or indexers):

     $SPLUNK_HOME/bin/splunk add forward-server <host name or ip address>:<listening port>
    • host name or IP address IP address of Splunk Indexer
    • listening port By default on port 9997.

    • Remember that Splunk username/password are: admin/changeme by default.

      If you have multiple indexers, please set outputs.conf like this:

      [tcpout]
defaultGroup=indexer1,indexer2

[tcpout:indexer1]
server=IP_FIRST_INDEXER:9997

[tcpout:indexer2]
server=IP_SECOND_INDEXER:9997
  6. Restart Splunk services (Windows Service, Linux).
     $SPLUNK_HOME/bin/splunk restart

Please, don’t hesitate to write again for anything you may need when configuring any component of Splunk like the Indexer or the Wazuh app for Splunk, I’ll be glad to help you.
Thanks for your patience,

Best regards,
Manu

Reply all
Reply to author
Forward
0 new messages