TOC & Recently Viewed

Recently Viewed Topics

Configure Splunk to Forward Data

The following procedure is performed on the Splunk Indexer that you want to forward data to the LCE Splunk Client.

Steps

  1. Access Splunk Web as a user with Administrator privileges.
  2. At the top of the Splunk Web interface, click Settings, and then click Forwarding and receiving.

    The Forwarding and receiving page appears.

  3. In the Configure forwarding row, in the Actions column, click the Add new link.

    The Add new page appears.

  4. In the Host box, type the IP address of the LCE Splunk Client host, and then click the Save button.

    The IP address is saved. On the Splunk Web interface, the IP address appears on the Forward data page.

  5. Access the Splunk Indexer as the root user.
  6. Edit the outputs.conf file, usually located at /opt/splunk/etc/system/local/outputs.conf. The lines you must add appear in bold.

    [tcpout]

    defaultGroup = default

    disabled = 0

    indexAndForward = 1

    [tcpout-server://LCE_IP_OR_Hostname:9800]

    [tcpout:default]

    disabled = 0

    server = LCE_IP_OR_Hostname:9800

    sendCookedData = false

  7. Save the file, and then restart the Splunk services.

    Data will now be forwarded to the LCE Splunk Client.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.