Page created: 6 Nov 2020
|
Page updated: 12 May 2021
| 1 min read
4.4 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product Installation User task
Install and configure the Splunk Universal Forwarder to collect attack data.
- Download Splunk Universal Forwarder 8.0.0.
-
Install the Splunk Universal Forwarder by entering the following
command.
[root@ABS]# tar -xvf splunkforwarder-8.0.0-8c86330ac18-Linux-x86_64.tgz splunkforwarder/ splunkforwarder/share/
Note:Replace the file name given in the example command with the name of the file you downloaded in step 1.
-
Start the Splunk Universal Forwarder.
[root@ABS]# cd splunkforwarder/bin [root@ABS]# ./splunk start --accept-license
-
Add forward server details (the receiver host and port in Splunk).
[root@dashboard]# ./splunk add forward-server ip:port Splunk username: admin Password: Added forwarding to: 192.168.1.158:9997.
Note:Enable the receiving port in Splunk. For example, configure port number 9997 from the previous example in your Splunk deployment.
-
Edit the inputs.conf file on your
Splunk
Forwarder as shown in the following example.
[root@ABS]# ./splunk add monitor /opt/pingidentity/splunk/data/ Added monitor of '/opt/pingidentity/splunk/data/'.
-
Edit the inputs.conf file on your
Splunk
Forwarder.
[root@dashboard]# cat /opt/splunkforwarder/etc/apps/search/local/inputs.conf [monitor:///opt/pingidentity/pingidentity/dashboard/logs/attack.log/] index = pi_events sourcetype=pi_events_source_type disabled = false
-
Restart the Splunk Universal Forwarder.
[root@ABS]# ./splunk restart
-
Verify if data is flowing to Splunk.
If no data is available in Splunk, check your firewall settings.