This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Splunk

1 - Heavy Forwarder

Heavy Forwarder: Receive data from Splunk.

This page describes how to configure your Splunk Heavy Forwarders to send data to AxoRouter.

The Axoflow Forwarder app works beside an existing Splunk configuration by creating an axoflow server group which will not be part of the default group in the[tcpout] stanza. Messages will be cloned to the axoflow group separately during a transformation process.

Prerequisites

  • You’ll need to install the Axoflow Forwarder app on your Heavy Forwarders. Currently, you can request the app directly from Axoflow. Contact our support team for details.

  • You know the IP address the AxoRouter. To find it:

    1. Open the Axoflow Console.
    2. Select the Routers or the Topology page.
    3. Select on AxoRouter instance that is going to receive the logs.
    4. Check the Networks > Address field.

Steps

To configure your Splunk Heavy Forwarders to send data to AxoRouter. Complete the following steps.

  1. Create a new Syslog Connector rule with the following parameters:

    1. Select Routers > Create New Rule > Syslog > Custom

    2. Enter splunk-hf into the Rule Name field.

      Syslog connector settings for Splunk

    3. Set the Router Selector so it matches the AxoRouter instances where your Splunk Heavy Forwarders will be forwarding their data. If you leave the Router Selector field empty, the rule will match all AxoRouters.

    4. In the Preprocessing steps section, enable Classify.

      Syslog connector rule for Splunk

    5. In the Syslog settings section:

      1. Select the TCP protocol.
      2. Enter 9900 into the Port field.

    6. Select Create.

  2. Install the Axoflow Forwarder app you’ve received from the Axoflow Support Team on your Splunk Heavy Forwarders.

    1. Configure name resolution for the axorouter host by completing one of the following:

      • Add axorouter to the /etc/hosts file to resolve to the IP address of your AxoRouter instance where this host is sending data.

      • Alternatively, you can add the following snippet to your /opt/splunk/etc/system/local/outputs.conf file:

        [tcpout:axoflow]
server = <AXOROUTER_IP1>:9900, <AXOROUTER_IP2>:9900

# configure maxQueueSize to allow for a temporary in-memory buffer if the destination is slow or unavailable
# maxQueueSize = 100MB
# configure a persistentQueueSize to allow for data to be queued on disk if the destination is slow or unavailable
# persistentQueueSize = 1GB

        Note that if you set multiple AxoRouters in the server field, the forwarder will load-balance among them.

        Configure either in-memory (maxQueueSize) or on-disk (persistentQueueSize) queueing to avoid data loss in case the destination is slow or unavailable.

    2. Install the Axoflow Forwarder app using the Splunk UI.

    3. Restart splunkd.

  3. Add the source to Axoflow Console.

    1. Open the Axoflow Console and select Topology.

    2. Select Create New Item > Source.

      • If the source is actively sending data to an AxoRouter instance, select Detected, then select your source.
      • Otherwise, select the vendor and product corresponding to your source from the Predefined sources, then enter the parameters of the source, like IP address and FQDN.

    3. (Optional) Add custom labels as needed.

    4. Select Create.