You are here: Clients > Splunk Client > Additional Resources > Policy Configuration Items (Splunk)

TOC & Recently Viewed

Recently Viewed Topics

Splunk Client Policy Configuration Items

In the Client Policy Builder, the following configuration items appear for the LCE Splunk Client.

The following table lists the configuration items that are valid for the LCE Splunk Client, and provides a brief description of each.

Configuration Item Description Valid Values

Splunk server

The IP addresses of one or more Splunk servers that are sending data to the LCE Splunk Client.

Note: The LCE Splunk Client requires at least one IP address to be entered in order to receive data. If no Splunk servers are added, the LCE Splunk Client will not open the Listen port.

XML Example:

<splunk-server>172.26.0.10</splunk-server>

One IP address per entry.
Listen port

The port to which the Splunk servers are sending data.

XML Example:

<listen-port>8000</listen-port>

An integer from 1024 to 65535. Privileged ports (lower than 1024) are not valid for this configuration item.
Syslog server

The IP address or hostname and port number of the syslog server that you want the LCE Splunk Client to forward events to in addition to the LCE server.

XML Examples:

<syslog-server>172.26.0.10:8000</syslog-server>

<syslog-server>corpnet8557:8000</syslog-server>

<IP or Hostname>:<Port Number>, where

  • <IP or Hostname> is an IP address, or a hostname that is a maximum length of 46 characters.
  • <Port Number> is an integer from 1 to 65535.
Delimiter

The custom delimiters that you want to apply to parse events in Splunk logs. You can include multiple Delimiter entries in your policy.

Note: By default, the policy includes the delimiter for Windows multiline logs. This delimiter is not required by the policy.

XML Example:

<delimiters>

<delimiter>

<start>\d{1,2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} (A|P)M</start>

        <end>[^\r]\n</end>

    </delimiter>

</delimiters>

See Delimiters
Log directory

Directory containing files, named according to the date, that contain LCE Splunk Client log messages.

XML Example:

<log-directory></log-directory>

A path to an existing directory.
Client heartbeat frequency

Caution: This configuration item is deprecated for versions 4.6 and later of the LCE Splunk Client. Client heartbeat period should be used instead.

XML Example:

<heartbeat-frequency>600</heartbeat-frequency>

No valid values.
Client heartbeat period

The number of seconds between each client heartbeat message to the LCE server. If not used or set to 0, the client will not send heartbeats.

XML Example:

<heartbeat-period>600</heartbeat-period>

An integer.
Client statistics frequency

Caution: This configuration item is deprecated for versions 4.6 and later of the LCE Splunk Client. Client statistics period should be used instead.

XML Example:

<statistics-frequency>60</statistics-frequency>

No valid values.
Client statistics period

The number of minutes between each client host performance statistics report (CPU, Disk Space, and Physical Memory) to the LCE server. If not used or set to 0, client statistics will not be sent.

XML Example:

<statistics-period>60</statistics-period>

An integer.
Compress events

Whether client will compress log data prior to sending it to the LCE server in order to save bandwidth. Recommended except when debugging. If set to 0, events will not be compressed.

XML Example:

<compress-events>1</compress-events>

0 (off) or 1 (on)
Compression level

Compression level to use when compressing events for transmission across network using zlib, set on a scale from 1 to 9. 1 provides the least amount of compression, resulting in minimum CPU usage and minimum bandwidth savings; 9 maximizes compression, resulting in increased CPU usage and maximum bandwidth savings. Ignored unless compression is enabled.

XML Example:

<compression-level>5</compression-level>

An integer from 1 to 9.
Minimum compression ratio

Defines the minimum acceptable savings ratio for event data being transmitted across the network, in terms of (bytes total) / (bytes compressed). If the client determines a savings ratio of less than this value, then event data will not be compressed before sending. This reduces the effort on the LCE Server decompressing event data when compression benefits are minimal. Ignored unless compression is enabled.

XML Example:

<minimum-compression-ratio>1.5</minimum-compression-ratio>

A decimal number.
Minimum compression input size

The minimum number of bytes a packet must have to be compressed. Ignored unless compression is enabled.

XML Example:

<minimum-compression-input-size>2048</minimum-compression-input-size>

An integer greater than 0.
Debug level

Controls the debugging information that is logged.

XML Example:

<debug-level>NONE</debug-level>

One of the following values:

  • NONE
  • VERBOSE
  • INFO
  • WARN
  • ERROR
Event queue timeout

Maximum number of seconds between event messages the client sends to the LCE server.

XML Example:

<event-queue-timeout>30</event-queue-timeout>

An integer greater than 0.
Local IP net

If a host has multiple network connections, allows you to specify which network to use. If not set or if the CIDR does not match any networks, the client will use the first network connection detected.

XML Example:

<local-ip-net>172.0.0.0/8</local-ip-net>

A CIDR.
Event file

Path to file for receiving events. Relative paths are interpreted to start at the client's installation directory.

XML Example:

<write-events-to-file></write-events-to-file>

A path to an existing file.
Write events to standard output

Whether to write events to standard output.

XML Example:

<write-events-to-stdout>0</write-events-to-stdout>

0 (off) or 1 (on)

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.