Setup and configure Splunk Forwarder on Debian Linux

Small and short article for today: how to setup and configure Splunk Forwarder for Debian Linux. This is also valid for all Debian derivates like Ubuntu etc. In the Splunk universe the Forwarder is installed on your machine, collects data and events generated by your OSs and forward it to your Splunk Indexer. In general you should install the Forwarder on all clients generating log files if you want to collect them on the Indexer.

First download the appropriate .deb package (32 bit or 64 bit) from from http://www.splunk.com/download/universalforwarder. Now you can create an unattended setup of Splunk Forwarder with a shell script like this (64 bit Forwarder is used).

#!/bin/bash

# install the package
dpkg -i splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb

 

# accept EULA
/opt/splunkforwarder/bin/splunk start –answer-yes –no-prompt –accept-license

 

# change the adminpassword from changeme to Splunky
/opt/splunkforwarder/bin/splunk edit user admin -password Splunky -auth admin:changeme

 

# point the forwarder to forward all events to splunkserver
/opt/splunkforwarder/bin/splunk add forward-server splunkserver:9997 -auth admin:Splunky

 

# index and watch/monitor all files in /var/log
/opt/splunkforwarder/bin/splunk add monitor /var/log/ -auth admin:Splunky

Don’t forget to adjust the server name and port as well as the user and password to your Splunk Indexer installation.

In default installation Splunk forwarder is binding itself to all network interfaces (0.0.0.0). As this is not necessary and a security risk, you can reconfigure it in the file /opt/splunkforwarder/etc/splunk-launch.conf and add the following lines:

After this a restart of the Splunk daemon is necessary:

# bind splunk to localhost only
echo “# bind splunk to localhost only” >> /opt/splunkforwarder/etc/splunk-launch.conf
echo “SPLUNK_BINDIP=127.0.0.1″ >> /opt/splunkforwarder/etc/splunk-launch.conf

/opt/splunkforwarder/bin/splunk restart

Create the initscripts for startup

/opt/splunkforwarder/bin/splunk enable boot-start