Configure Splunk to Forward Data

The following procedure is performed on the Splunk Indexer that you want to forward data to the Tenable Log Correlation Engine Splunk Client.

To configure the Splunk Client to Forward Data:

  1. Access Splunk Web as a user with Administrator privileges.
  2. At the top of the Splunk Web interface, click Settings, and then click Forwarding and receiving.

    The Forwarding and receiving page appears.

  3. In the Configure forwarding row, in the Actions column, click the Add new link.

    The Add new page appears.

  4. In the Host box, type the IP address of the Tenable Log Correlation Engine Splunk Client host, and then click the Save button.

    The IP address is saved. On the Splunk Web interface, the IP address appears on the Forward data page.

  5. Access the Splunk Indexer as the root user.
  6. Edit the outputs.conf file, usually located at /opt/splunk/etc/system/local/outputs.conf. The lines you must add appear in bold.

    [tcpout]

    defaultGroup = default

    disabled = 0

    indexAndForward = 1

    [tcpout-server://LCE_IP_OR_Hostname:9800]

    [tcpout:default]

    disabled = 0

    server = LCE_IP_OR_Hostname:9800

    sendCookedData = false

  7. Save the file, and then restart the Splunk services.

    Data will now be forwarded to the Tenable Log Correlation Engine Splunk Client.