Administrator
/
Splunk_Docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c5ff932166'
${ noResults }
Splunk_Docker/files/splunk-etc/system/README/inputs.conf.example

244 lines
7.1 KiB
Raw Normal View History Unescape

Inital Commit
5 months ago
# Version 9.2.2.20240415
#
# This is an example inputs.conf. Use this file to configure data inputs.
#
# To use one or more of these configurations, copy the configuration block into
# inputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
# The following configuration reads all the files in the directory /var/log.
[monitor:///var/log]
# The following configuration reads all the files under /var/log/httpd and
# classifies them as sourcetype::access_common.
#
# When checking a file for new data, if the file's modification time is from
# before seven days ago, the file will no longer be checked for changes
# until you restart the software.
[monitor:///var/log/httpd]
sourcetype = access_common
ignoreOlderThan = 7d
# The following configuration reads all the
# files under /mnt/logs. When the path is /mnt/logs/<host>/... it
# sets the hostname (by file) to <host>.
[monitor:///mnt/logs]
host_segment = 3
# The following configuration listens on TCP port 9997 for raw
# data from ANY remote server (not just a Splunk instance). The host of the
# data is set to the IP address of the remote server.
[tcp://9997]
# The following configuration listens on TCP port 9995 for raw
# data from ANY remote server. The host of the data is set as the host name of
# the remote server. All data will also be assigned the sourcetype "log4j" and
# the source "tcp:9995".
[tcp://9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995
# The following configuration listens on TCP port 9995 for raw
# data from 10.1.1.10.
# All data is assigned the host "webhead-1", the sourcetype "access_common" and
# the the source "//10.1.1.10/var/log/apache/access.log".
[tcp://192.0.2.10:9995]
host = webhead-1
sourcetype = access_common
source = //192.0.2.10/var/log/apache/access.log
# The following configuration listens on TCP port 9996 for
# Splunk cooked event data from ANY splunk forwarder.
# The host of the data is set to the host name of the remote server ONLY IF the
# remote data has no host set, or if it is set to "localhost".
[splunktcp://9996]
connection_host = dns
# The following configuration listens on TCP port 9996 for
# distributed search data from 10.1.1.100. The data is processed the same as
# locally indexed data.
[splunktcp://10.1.1.100:9996]
# The following configuration listens on TCP port 514 for data
# from syslog.corp.company.net. The data is assigned the sourcetype "syslog"
# and the host is set to the host name of the remote server.
[tcp://syslog.corp.example.net:514]
sourcetype = syslog
connection_host = dns
# Following configuration limits the acceptance of data to forwarders
# that have been configured with the token value specified in 'token' field.
# NOTE: The token value is encrypted. The REST endpoint encrypts the token
# while saving it.
[splunktcptoken://tok1]
token = $7$ifQTPTzHD/BA8VgKvVcgO1KQAtr3N1C8S/1uK3nAKIE9dd9e9g==
# Set up Secure Sockets Layer (SSL):
[SSL]
serverCert=$SPLUNK_HOME/etc/auth/server.pem
password=password
requireClientCert=false
[splunktcp-ssl:9996]
# Use file system change monitor:
[fschange:/etc/]
fullEvent=true
pollPeriod=60
recurse=true
sendEventMaxSize=100000
index=main
# Monitor the Security Windows Event Log channel, getting the most recent
# events first, then older, and finally continuing to gather newly arriving events
[WinEventLog://Security]
disabled = 0
start_from = newest
evt_dc_name =
evt_dns_name =
evt_resolve_ad_ds =
evt_resolve_ad_obj = 1
checkpointInterval = 5
# Monitor the ForwardedEvents Windows Event Log channel, only gathering the
# events that arrive after monitoring starts, going forward in time.
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 1
batch_size = 10
checkpointInterval = 5
[tcp://9994]
queueSize=50KB
persistentQueueSize=100MB
# Perfmon: Windows performance monitoring examples
# You must specify the names of objects, counters and instances
# exactly as they are shown in the Performance Monitor application. Splunk Web
# is the recommended interface to use to configure performance monitor inputs.
# These stanzas gather performance data from the local system only.
# Use wmi.conf for performance monitor metrics on remote systems.
# Query the PhysicalDisk performance object and gather disk access data for
# all physical drives installed in the system. Store this data in the
# "perfmon" index.
[perfmon://LocalPhysicalDisk]
interval = 10
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = PerfMon
# Gather common memory statistics using the Memory performance object, every
# 5 seconds. Store the data in the "main" index. Since none of the counters
# specified have applicable instances, the instances attribute is not required.
[perfmon://LocalMainMemory]
interval = 5
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = main
# Gather data on USB activity levels every 10 seconds. Store this data in the
# default index.
[perfmon://USBChanges]
interval = 10
object = USB
counters = Usb Control Data Bytes/Sec
instances = *
disabled = 0
# Admon: Windows Active Directory monitoring examples
# Monitor the default domain controller (DC) for the domain that the computer
# running Splunk belongs to. Start monitoring at the root node of Active
# Directory.
[admon://NearestDC]
targetDc =
startingNode =
# Monitor a specific DC, with a specific starting node. Store the events in
# the "admon" Splunk index. Do not print Active Directory schema. Do not
# index baseline events.
[admon://DefaultTargetDC]
targetDc = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com
index = admon
printSchema = 0
baseline = 0
# Monitor two different DCs with different starting nodes.
[admon://DefaultTargetDC]
targetDc = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com
[admon://SecondTargetDC]
targetDc = pri02.eng.ad.splunk.com
startingNode = OU=Computers,DC=hr,DC=ad,DC=splunk,DC=com
# logD
[logd://example]
logd-backtrace = false
logd-debug = false
logd-info = false
logd-loss = false
logd-signpost = false
logd-predicate = 'subsystem == "com.apple.TimeMachine" && eventMessage CONTAINS[c] "backup"'
logd-process = 220,221,223
logd-source = false
journalctl-include-fields = PRIORITY,CMD,EXE
logd-exclude-fields = bootUUID,formatString
logd-interval = 60
logd-starttime = "2015-01-10 17:15:00"
#journald
[journald://example]
journalctl-include-fields = MESSAGE
journalctl-exclude-fields = _UID,_MACHINE_ID,_GID,_COMM,_EXE
journalctl-filter = _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
journalctl-unit = systemd-modules-load.service
journalctl-identifier = SYSLOG_IDENTIFIER
journalctl-priority = 0
journalctl-boot = 2
journalctl-facility = help
journalctl-grep =^WARN.*disk,.*errno=\d+\S+restarting
journalctl-user-unit = SERVICENAME
journalctl-dmesg = true
journalctl-quiet = true

Powered by BW's shoe-string budget.