Install the Splunk Universal Log Forwarder

To set up the Splunk Universal Log Forwarder, download the version for your operating system from https://www.splunk.com/en_us/download/universal-forwarder.html, then follow the steps below.

Note: If you don't already have an account, you need to create a free Splunk account to download the Universal Forwarder installation package(s).

Note: To ensure the proper host is attributed in the Splunk query, NNM maintains a name-to-IP address cache. This cache is directed from Splunk queries or NNM's passively-collected data. In some cases, the log forwarder may have a misconfigured name, and therefore the Splunk IP to Name mapping may be inaccurate. To correct this issue, review the serverName setting in the $SPLUNK_HOME/etc/system/local/server.conf. This name must match the name returned in the query index=_internal sourcetype=splunkd group=tcpin_connections | stats latest(sourceIp) by hostname. If the names do not match, the Splunk IP to Name mapping will be incorrect and the SIEM Pull Service will not provide data to NNM.

Example:

cat /opt/splunkforwarder/etc/system/local/server.conf

[general]

serverName = dhcpc7

Once installed, the Universal Log Forwarder sends the logs to Splunk that NNM needs to query and list events.

NNM uses the following Splunk query to generate events (using DHCP as an example):

source="/var/log/messages" *dhcpd*dhcp*

This query generates an output of all DHCP events. For example:

[DHCP_HOST] dhcpd: DHCPACK on 127.0.0.1 to 00:11:aa:bb:22:ff (QUERYING_HOST) via ens192

For more information on the Splunk Universal Log Forwarder, see the following topics: