Step 2. Configuring Forwarder and Search Head apps (distributed deployment)
April 11, 2024
ID 167080
In the distributed deployment scheme, you must configure Forwarder App on the basis of the organization of your distributed Splunk environment. For example, the configuration changes may include changing the Kaspersky CyberTrace Service address used by the apps, or adding new event sources for Forwarder App. For Search Head App, you may have to configure the email addresses for alerts.
Configuration actions for Forwarder App and Search Head App
For Forwarder App, you may have to do the following:
- Change the address and port for forwarding events to Kaspersky CyberTrace Service. See subsection "Changing the address and port for forwarding data to Kaspersky CyberTrace Service" below.
- Configure Forwarder App to send events to one or more Indexers. By default, events that are sent from Forwarder App to Kaspersky CyberTrace Service are not registered in the indexes. See subsection "Configuring Forwarder App to send events to indexes" below.
- If several Forwarder Apps are used, only one Forwarder App must receive events from Kaspersky CyberTrace at port
9998
. For all other Forwarder Apps, disable this rule by specifyingtrue
in thedisabled
parameter for this rule in the Forwarder App configuration file. The IP address and port of the Forwarder App that will receive events from Kaspersky CyberTrace must be specified on the Settings > Service tab in Kaspersky CyberTrace Web. - Add new event sources. See subsection "Adding new event sources" below.
For Search Head App, you may have to do the following:
Restart Splunk after you make changes to the configuration files.
Edit only those Forwarder App and Search Head App configuration files that are described in this section. Editing other configuration files may result in unpredictable behavior.
Configuration files (distributed deployment)
The following table summarizes configuration files used by Forwarder App and Search Head App in the following distributed deployment scheme variants:
- One indexer, multiple forwarders
- Multiple indexers, multiple forwarders
Configuration files of Forwarder App and Search Head App
Application
Configuration file
Default rules
Forwarder App
\default\inputs.conf
Receives data from sources at port
3000
and forwards it as configured inoutputs.conf
.Receives events from Kaspersky CyberTrace at
:9998
port.Forwarder App
\default\outputs.conf
Forwards data to
127.0.0.1:9999
(Kaspersky CyberTrace Service address).Forwarder App
\default\props.conf
Parse data received at
:3000
and:9998
. For a description of default data parsing rules, see subsection "Default data parsing rules" below.Search Head App
\default\savedsearches.conf
Rules for alert templates.
Default data parsing rules
The way in which Splunk parses incoming data is defined in the props.conf file. By default, it does the following:
- Defines how time stamps are extracted from incoming data.
- Defines a delimiter (line breaker) between events for incoming data.
For example, if the incoming data has the sequence
"%data_1%\n\n%data_2%"
and the line breaker is one or more\n
symbols, Splunk splits this sequence into two events (%data_1%
and%data_2%
).
The following are the default rules used by Forwarder App to parse incoming data.
TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
Universal Forwarder cannot parse events. The parsing settings from props.conf will not run on Universal Forwarder. In this case, events will be parsed directly on Indexer. See Step 1. Installing Forwarder and Search Head apps.
Changing the address and port for forwarding data to Kaspersky CyberTrace Service
By default, Forwarder App is configured to forward data to Kaspersky CyberTrace Service at 127.0.0.1:9999
.
To change the address and port for forwarding data to Kaspersky CyberTrace Service,
In the outputs.conf
configuration file, in the [tcpout:service9999]
section, specify the new address and port for the server
parameter that will be used by Kaspersky CyberTrace Service.
In the following example, 192.0.2.100:9999
is specified as the Kaspersky CyberTrace Service address.
[tcpout:service9999] disabled=false server = 192.0.2.100:9999 sendCookedData = false |
Adding new event sources
To add new event sources, edit the inputs.conf and props.conf configuration files of the app.
To add a new event source:
- In inputs.conf, specify a new event source that uses the
service9999
TCP routing rule.All data from this input will be forwarded to Kaspersky CyberTrace Service.
- In props.conf, specify how data from this source must be processed.
- Restart Splunk.
Make sure that data from the new event source matches the regular expressions used by Kaspersky CyberTrace.
Below is an example of adding the address :3001
as the event source; it specifies that data from the address :3001
must be processed as other input data in the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer).
# to inputs.conf [tcp://:3001] _TCP_ROUTING = service9999
# to props.conf [source::tcp:3001] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
If Splunk Forwarder is already configured for receiving events from different event sources and you want to send events to Kaspersky CyberTrace Service, perform the following procedure. This can be done if the server
field of the outputs.conf configuration file of Forwarder App contains the IP address and port that are specified in the InputSettings > ConnectionString
element of the Kaspersky CyberTrace Service configuration file.
To forward events to Kaspersky CyberTrace Service:
- In the outputs.conf file that is used for forwarding events from Splunk (it can be either the outputs.conf file of a custom Splunk application or the
%SPLUNK_HOME%/etc/system/local/inputs.conf
file), in thedefaultGroup
field, add a comma and a stringservice9999
.In this case, check the event forwarding logic and make sure that events that arrived from Kaspersky CyberTrace Service are not sent again to Kaspersky CyberTrace Service by Splunk.
If the inputs.conf configuration file contains the
_TCP_ROUTING
parameter for those event sources, the events from which are sent to Kaspersky CyberTrace Service, add a comma and theservice9999
string to the_TCP_ROUTING
parameter. - Restart Splunk.
If required, ScannersCount settings in Kaspersky CyberTrace may be changed depending on the Splunk architecture.
Configuring Forwarder App to send events to indexes
By default, events that are sent from Forwarder App to Kaspersky CyberTrace Service are not registered in the indexes. You can change this behavior by configuring Forwarder App.
To configure Forwarder App to send events to the main index:
- Locate the Forwarder that you want to configure. This Forwarder is typically a machine with Forwarder App installed. You must configure all Forwarders that are used in your distributed integration scheme.
- On the Forwarder, in the
%SPLUNK_HOME%\etc\system\local\outputs.conf
file, locate the name of the target group that is used for sending events to one or more Indexers. Here%SPLUNK_HOME%
is the Splunk installation directory.By default, the name of this group is default-autolb-group:
[tcpout: default-autolb-group]
- In the
inputs.conf
file used by the Forwarder App, locate the section withservice9999
TCP routing rule:_TCP_ROUTING = service9999
- Add the name of the target group to this rule.
For example, if the name of the target group is default-autolb-group, the rule must be changed in the following way:
_TCP_ROUTING=service9999, default-autolb-group
- Restart Splunk on the Forwarder.
Configuring alert templates
For more information about configuring alert templates, see subsection "Configuring alert templates" in Step 2 (optional). Configuring Kaspersky CyberTrace App.