Install and configure the Splunk Universal Forwarder to collect attack data and forward it to the Splunk Server.
- Download Splunk Universal Forwarder 8.0.0. For more information, see Splunk® Universal Forwarder Manual.
Install the Splunk Universal Forwarder by entering the following command.
[root@ABS]# tar -xvf splunkforwarder-8.0.0-8c86330ac18-Linux-x86_64.tgz splunkforwarder/ splunkforwarder/share/Note:
Replace the file name given in the example command with the name of the file you downloaded in step 1.
Start the Splunk Universal Forwarder.
[root@ABS]# cd splunkforwarder/bin [root@ABS]# ./splunk start --accept-license
Add forward server details (the receiver host and port in Splunk).
[root@dashboard]# ./splunk add forward-server ip:port Splunk username: admin Password: Added forwarding to: 192.168.1.158:9997.Note:
Enable the receiving port in Splunk. For example, configure port number 9997 from the previous example in your Splunk deployment.
Edit the inputs.conf file on your Splunk Universal Forwarder
as shown in the following example.
[root@ABS]# ./splunk add monitor /opt/pingidentity/splunk/data/ Added monitor of '/opt/pingidentity/splunk/data/'.
Edit the inputs.conf file on your Splunk Universal
[root@dashboard]# cat /opt/splunkforwarder/etc/apps/search/local/inputs.conf [monitor:///opt/pingidentity/pingidentity/dataengine/logs/attack.log/] index = pi_events sourcetype=pi_events_source_type disabled = false
Restart the Splunk Universal Forwarder.
[root@ABS]# ./splunk restart
Verify if data is flowing to Splunk on the Splunk Dashboard.
If no data is available in Splunk, check your firewall settings.