How Do I Setup Syslog connect to Splunk Cloud by using Universal Forwarder?

This KB, I will provide the guideline to setup integrate with Splunk Cloud. Splunk Cloud requires Universal Forwarder, therefore, we need to setup Universal Forwarder first. In this KB I am using RedHat 9.2 (Plow) to setup so the command in this KB will be runned on RedHat and package system should be RPM.

1 - Install Universal Forwarder

In your Splunk Instance, you can select this to setup Universal Forwarder

Then, you can follow this Splunk instruction to setup

After downloading the installer and credential files as shown in the screenshot below, you can proceed with setting up the Splunk Universal Forwarder.

  • Installer file: splunkforwarder-10.0.0-e8eb0c4654f8.x86_64.rpm
  • Credential file: splunkclouduf.spl

Install the Splunk Universal Forwarder using the following command:

Step 1: Create the Splunk user and group.

Step 2: Install the Splunk software, as described in the installation instructions for your platform in Installation instructions. Create the $SPLUNK_HOME directory wherever desired.

Step 3: Running command to install package.

The output should be

Step 4: Run the chown command to change the ownership of the Splunk directory and all its contents to the user that will run the Splunk software.

Step 5: run the command below to start

or this command

You will be prompted to create a new administrator username and password. After entering the required information, you should see the following output:

To verify, you can run this command below

The output should be:

2 - Install the forwarder credentials

To install the forwarder credentials, run the following command:

It will prompt you for the username and password you set during the Splunk Forwarder installation.

Once completed, you should see an output confirming the action, followed by a prompt to restart Splunk.

To restart Splunk, you can run this command

The output should be

To configure Splunk to listen for syslog, create the file /opt/splunkforwarder/etc/system/local/inputs.conf and add the following settings:

To verify whether the Splunk Universal Forwarder (UF) port is open, you can use the following command:

3 - Integrate MD Core syslog with Splunk Universal Forwarder.

If you are using MD Core on Linux (Red Hat, Ubuntu, or Debian), you can configure syslog by adding the settings below to the /etc/ometascan/ometascan.conf file.

These settings should be placed directly beneath the [logger] section.

For example

Then, restart MD Core service.

Now, go back to your Splunk instance and search for "syslog" — you should see entries related to MD Core appearing there.

VariableType to search · ESC to discard
GlossaryType to search · ESC to discard
InsertType to search · ESC to discard
No matches
Next to read:
How do I customize the bundled PostgreSQL server configuration in MetaDefender Core?
null
On This Page