Step 2. Configuring Forwarder and Search Head apps (distributed deployment)

In the distributed deployment scheme, you must configure Forwarder App on the basis of the organization of your distributed Splunk environment. For example, the configuration changes may include changing the Feed Service address used by the apps, or adding new event sources for Forwarder App. For Search Head App, you may have to configure the email addresses for alerts.

Configuration actions for Forwarder App and Search Head App

For Forwarder App, you may have to do the following:

For Search Head App, you may have to do the following:

Restart Splunk and Feed Service after you make changes to the configuration files.

Edit only those Forwarder App and Search Head App configuration files that are described in this section. Editing other configuration files may result in unpredictable behavior.

Configuration files (distributed deployment)

The following table summarizes configuration files used by Forwarder App and Search Head App in the following distributed deployment scheme variants:

Default data parsing rules

The way in which Forwarder App parses incoming data is defined in the props.conf file. By default, Forwarder App does the following:

The following are the default rules used by Forwarder App to parse incoming data.

TIME_PREFIX = ^

MAX_TIMESTAMP_LOOKAHEAD = 17

TIME_FORMAT = %b %d %H:%M:%S

LINE_BREAKER = ([\n]+)

SHOULD_LINEMERGE = false

Changing the address and port for forwarding data to Feed Service

By default, Forwarder App is configured to forward data to Feed Service at 127.0.0.1:9999.

To change the address and port for forwarding data to Feed Service,

In the outputs.conf configuration file, in the [tcpout:service9999] section, specify the new address and port for the server parameter that will be used by Feed Service.

In the following example, 192.0.2.100:9999 is specified as the Feed Service address.

[tcpout:service9999]

disabled=false

server = 192.0.2.100:9999

sendCookedData = false

Adding new event sources

To add new event sources, edit the inputs.conf and props.conf configuration files of the app.

To add a new event source:

  1. In inputs.conf, specify a new event source that uses the service9999 TCP routing rule.

    All data from this input will be forwarded to Feed Service.

  2. In props.conf, specify how data from this source must be processed.
  3. Restart Splunk.

Make sure that data from the new event source matches the Feed Service regular expressions defined in the Feed Service configuration file.

Below is an example of adding the address :3001 as the event source; it specifies that data from the address :3001 must be processed as other input data in the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer).

# to inputs.conf

[tcp://:3001]

_TCP_ROUTING = service9999

 

# to props.conf

[source::tcp:3001]

TIME_PREFIX = ^

MAX_TIMESTAMP_LOOKAHEAD = 17

TIME_FORMAT = %b %d %H:%M:%S

LINE_BREAKER = ([\n]+)

SHOULD_LINEMERGE = false

If Splunk Forwarder is already configured for receiving events from different event sources and you want to send events to Feed Service, perform the following procedure. This can be done if the server field of the outputs.conf configuration file of Forwarder App contains the IP address and port that are specified in the InputSettings > ConnectionString element of the Feed Service configuration file.

To forward events to Feed Service:

  1. In the outputs.conf file that is used for forwarding events from Splunk (it can be either the outputs.conf file of a custom Splunk application or the %SPLUNK_DIR%/etc/system/local/inputs.conf file), in the defaultGroup field, add a comma and a string service9999.

    In this case, check the event forwarding logic and make sure that events that arrived from Feed Service are not sent again to Feed Service by Splunk.

    If the inputs.conf configuratioin file contains the _TCP_ROUTING parameter for those event sources, the events from which are sent to Feed Service, add a comma and the service9999 string to the _TCP_ROUTING parameter.

  2. Restart Splunk.

Configuring Forwarder App to send events to indexes

By default, events that are sent from Forwarder App to Feed Service are not registered in the indexes. You can change this behavior by configuring Forwarder App.

To configure Forwarder App to send events to the main index:

  1. Locate the Forwarder that you want to configure. This Forwarder is typically a machine with Forwarder App installed. You must configure all Forwarders that are used in your distributed integration scheme.
  2. On the Forwarder, in the %SPLUNK_HOME%\etc\system\local\outputs.conf file, locate the name of the target group that is used for sending events to the Indexer (or multiple Indexers). Here %SPLUNK_HOME% is the Splunk installation directory.

    By default, the name of this group is default-autogroup-lb:

    [tcpout: default-autogroup-lb]

  3. In the inputs.conf file used by the Forwarder App, locate the section with service9999 TCP routing rule:

    _TCP_ROUTING = service9999

  4. Add the name of the target group to this rule.

    For example, if the name of the target group is default-autogroup-lb, the rule must be changed in the following way:

    _TCP_ROUTING=service9999, default-autogroup-lb

  5. Restart Splunk on the Forwarder.

Adding email addresses to alert templates

Kaspersky CyberTrace App comes with several alert templates that you can use and customize from the Alerts dashboard.

Following alert templates are available:

Following are the default Kaspersky CyberTrace App settings:

To add an email address to an alert template:

  1. In savedsearches.conf, add an email address to the action.email.to parameter for the alert template.
  2. Restart Splunk.

In the following example, the email address user@example.com is added to an alert template.

#...

action.email.to = user@example.com

#...

Page top