You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
223 lines
5.8 KiB
223 lines
5.8 KiB
# Version 9.2.2.20240415
|
|
#
|
|
# This file contains an example outputs.conf. Use this file to configure
|
|
# forwarding in a distributed set up.
|
|
#
|
|
# To use one or more of these configurations, copy the configuration block into
|
|
# outputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to
|
|
# enable configurations.
|
|
#
|
|
# To learn more about configuration files (including precedence) please see the
|
|
# documentation located at
|
|
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
|
|
|
|
|
|
# Specify a target group for an IP:PORT which consists of a single receiver.
|
|
# This is the simplest possible configuration; it sends data to the host at
|
|
# 10.1.1.197 on port 9997.
|
|
|
|
[tcpout:group1]
|
|
server=10.1.1.197:9997
|
|
|
|
|
|
# Specify a target group for a hostname which consists of a single receiver.
|
|
|
|
[tcpout:group2]
|
|
server=myhost.Splunk.com:9997
|
|
|
|
|
|
# Specify a target group made up of two receivers. In this case, the data will
|
|
# be distributed using AutoLB between these two receivers. You can specify as
|
|
# many receivers as you wish here. You can combine host name and IP if you
|
|
# wish.
|
|
# NOTE: Do not use this configuration with SplunkLightForwarder.
|
|
|
|
[tcpout:group3]
|
|
server=myhost.Splunk.com:9997,10.1.1.197:6666
|
|
|
|
|
|
# You can override any of the global configuration values on a per-target group
|
|
# basis. All target groups that do not override a global config will inherit
|
|
# the global config.
|
|
|
|
# Send every event to a receiver at foo.Splunk.com:9997 with a maximum queue
|
|
# size of 100,500 events.
|
|
|
|
[tcpout:group4]
|
|
server=foo.Splunk.com:9997
|
|
heartbeatFrequency=45
|
|
maxQueueSize=100500
|
|
|
|
# Send data to a receiving system that controls access by tokens.
|
|
# NOTE: token value is encrypted. Encryption is done by REST endpoint while saving.
|
|
[tcpout:group4]
|
|
server=foo.Splunk.com:9997
|
|
token=$1$/fRSBT+2APNAyCB7tlcgOyLnAtqAQFC8NI4TGA2wX4JHfN5d9g==
|
|
|
|
# Clone events to groups indexer1 and indexer2. Also, index all this data
|
|
# locally as well.
|
|
|
|
[tcpout]
|
|
indexAndForward=true
|
|
|
|
[tcpout:indexer1]
|
|
server=Y.Y.Y.Y:9997
|
|
|
|
[tcpout:indexer2]
|
|
server=X.X.X.X:6666
|
|
|
|
|
|
# Clone events between two data balanced groups.
|
|
|
|
[tcpout:indexer1]
|
|
server=A.A.A.A:1111, B.B.B.B:2222
|
|
|
|
[tcpout:indexer2]
|
|
server=C.C.C.C:3333, D.D.D.D:4444
|
|
|
|
# Syslout output configuration
|
|
# This example sends only events generated by the splunk daemon to a remote
|
|
# syslog host in syslog-compliant format:
|
|
|
|
[syslog:syslog-out1]
|
|
disabled = false
|
|
server = X.X.X.X:9099
|
|
type = tcp
|
|
priority = <34>
|
|
timestampformat = %b %e %H:%M:%S
|
|
|
|
|
|
# Auto Load Balancing
|
|
# This example balances output between two indexers listening on
|
|
# port 4433: 192.0.2.100:4433 and 192.0.2.101:4433.
|
|
# To achieve this you'd create a DNS entry for 'splunkLB' pointing
|
|
# to the two IP addresses of your indexers:
|
|
#
|
|
# $ORIGIN example.com.
|
|
# splunkLB A 192.0.2.100
|
|
# splunkLB A 192.0.2.101
|
|
|
|
[tcpout]
|
|
defaultGroup = lb
|
|
|
|
[tcpout:lb]
|
|
server = splunkLB.example.com:4433
|
|
|
|
# Alternatively, you can use autoLB directly without DNS:
|
|
|
|
[tcpout]
|
|
defaultGroup = lb
|
|
|
|
[tcpout:lb]
|
|
server = 192.0.2.100:4433, 192.0.2.101:4433
|
|
|
|
|
|
# Compression
|
|
#
|
|
# This example sends compressed events to the remote indexer.
|
|
# If set to "true", you do not need to set the 'compressed' setting to
|
|
"true" in the inputs.conf file on the receiver for compression
|
|
of data to occur.
|
|
# This setting applies to non-SSL forwarding only. For SSL forwarding with
|
|
compression, Splunk software uses the 'useClientSSLCompression' setting.
|
|
|
|
[tcpout]
|
|
server = splunkServer.example.com:4433
|
|
compressed = true
|
|
|
|
|
|
# SSL
|
|
#
|
|
# This example sends events to an indexer via SSL using splunk's
|
|
# self signed cert:
|
|
|
|
[tcpout]
|
|
server = splunkServer.example.com:4433
|
|
sslPassword = password
|
|
clientCert = $SPLUNK_HOME/etc/auth/server.pem
|
|
|
|
#
|
|
# The following example shows how to route events to syslog server
|
|
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
|
|
#
|
|
|
|
# 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing
|
|
# attribute:
|
|
[default]
|
|
TRANSFORMS-routing=errorRouting
|
|
|
|
[syslog]
|
|
TRANSFORMS-routing=syslogRouting
|
|
|
|
# 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting
|
|
# and syslogRouting rules:
|
|
[errorRouting]
|
|
REGEX=error
|
|
DEST_KEY=_SYSLOG_ROUTING
|
|
FORMAT=errorGroup
|
|
|
|
[syslogRouting]
|
|
REGEX=.
|
|
DEST_KEY=_SYSLOG_ROUTING
|
|
FORMAT=syslogGroup
|
|
|
|
# 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog
|
|
# outputs go to with servers or groups:
|
|
[syslog]
|
|
defaultGroup=everythingElseGroup
|
|
|
|
[syslog:syslogGroup]
|
|
server = 10.1.1.197:9997
|
|
|
|
[syslog:errorGroup]
|
|
server=10.1.1.200:9999
|
|
|
|
[syslog:everythingElseGroup]
|
|
server=10.1.1.250:6666
|
|
|
|
#
|
|
# Perform selective indexing and forwarding
|
|
#
|
|
# Using a heavy forwarder, you can index and store data locally, and
|
|
# forward the data out to a receiving indexer. In the example, by
|
|
# setting the defaultGroup to a non-existent group named "noforward",
|
|
# the forwarder only forwards data that has been routed using explicit
|
|
# target groups defined in the inputs.conf
|
|
|
|
|
|
# 1. In outputs.conf:
|
|
[tcpout]
|
|
defaultGroup = noforward
|
|
|
|
[indexAndForward]
|
|
index=true
|
|
selectiveIndexing=true
|
|
|
|
[tcpout:indexers]
|
|
server = 10.1.1.197:9997, 10.1.1.200:9997
|
|
|
|
# 2. In inputs.conf, add _INDEX_AND_FORWARD_ROUTING to the input
|
|
stanza for any data that you want to index locally, or
|
|
_TCP_ROUTING=<target_group> for data to be forwarded.
|
|
|
|
[monitor:///var/log/messages/]
|
|
_INDEX_AND_FORWARD_ROUTING=local
|
|
|
|
[monitor:///var/log/httpd/]
|
|
_TCP_ROUTING=indexers
|
|
|
|
# Output to S3 for Ingest Actions
|
|
|
|
# For example, sending to an AWS bucket "buttercup-bucket", with a prefix
|
|
# in front of all paths "some-prefix", along with encryption using AWS
|
|
# SSE-S3 to the us-west-2 region:
|
|
|
|
[rfs:s3]
|
|
path = s3://buttercup-bucket/some-prefix
|
|
remote.s3.encryption = sse-s3
|
|
remote.s3.endpoint = https://s3.us-west-2.amazonaws.com
|
|
remote.s3.signature_version = v4
|
|
remote.s3.supports_versioning = false
|
|
remote.s3.access_key = <access key here>
|
|
remote.s3.secret_key = <secret key here>
|