You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
204 lines
4.9 KiB
204 lines
4.9 KiB
# Version 8.2.3
|
|
#
|
|
# This file contains an example outputs.conf. Use this file to configure
|
|
# forwarding in a distributed set up.
|
|
#
|
|
# To use one or more of these configurations, copy the configuration block into
|
|
# outputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to
|
|
# enable configurations.
|
|
#
|
|
# To learn more about configuration files (including precedence) please see the
|
|
# documentation located at
|
|
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
|
|
|
|
|
|
# Specify a target group for an IP:PORT which consists of a single receiver.
|
|
# This is the simplest possible configuration; it sends data to the host at
|
|
# 10.1.1.197 on port 9997.
|
|
|
|
[tcpout:group1]
|
|
server=10.1.1.197:9997
|
|
|
|
|
|
# Specify a target group for a hostname which consists of a single receiver.
|
|
|
|
[tcpout:group2]
|
|
server=myhost.Splunk.com:9997
|
|
|
|
|
|
# Specify a target group made up of two receivers. In this case, the data will
|
|
# be distributed using AutoLB between these two receivers. You can specify as
|
|
# many receivers as you wish here. You can combine host name and IP if you
|
|
# wish.
|
|
# NOTE: Do not use this configuration with SplunkLightForwarder.
|
|
|
|
[tcpout:group3]
|
|
server=myhost.Splunk.com:9997,10.1.1.197:6666
|
|
|
|
|
|
# You can override any of the global configuration values on a per-target group
|
|
# basis. All target groups that do not override a global config will inherit
|
|
# the global config.
|
|
|
|
# Send every event to a receiver at foo.Splunk.com:9997 with a maximum queue
|
|
# size of 100,500 events.
|
|
|
|
[tcpout:group4]
|
|
server=foo.Splunk.com:9997
|
|
heartbeatFrequency=45
|
|
maxQueueSize=100500
|
|
|
|
# Send data to a receiving system that controls access by tokens.
|
|
# NOTE: token value is encrypted. Encryption is done by REST endpoint while saving.
|
|
[tcpout:group4]
|
|
server=foo.Splunk.com:9997
|
|
token=$1$/fRSBT+2APNAyCB7tlcgOyLnAtqAQFC8NI4TGA2wX4JHfN5d9g==
|
|
|
|
# Clone events to groups indexer1 and indexer2. Also, index all this data
|
|
# locally as well.
|
|
|
|
[tcpout]
|
|
indexAndForward=true
|
|
|
|
[tcpout:indexer1]
|
|
server=Y.Y.Y.Y:9997
|
|
|
|
[tcpout:indexer2]
|
|
server=X.X.X.X:6666
|
|
|
|
|
|
# Clone events between two data balanced groups.
|
|
|
|
[tcpout:indexer1]
|
|
server=A.A.A.A:1111, B.B.B.B:2222
|
|
|
|
[tcpout:indexer2]
|
|
server=C.C.C.C:3333, D.D.D.D:4444
|
|
|
|
# Syslout output configuration
|
|
# This example sends only events generated by the splunk daemon to a remote
|
|
# syslog host in syslog-compliant format:
|
|
|
|
[syslog:syslog-out1]
|
|
disabled = false
|
|
server = X.X.X.X:9099
|
|
type = tcp
|
|
priority = <34>
|
|
timestampformat = %b %e %H:%M:%S
|
|
|
|
|
|
# New in 4.0: Auto Load Balancing
|
|
#
|
|
# This example balances output between two indexers running on
|
|
# 1.2.3.4:4433 and 1.2.4.5:4433.
|
|
# To achieve this you'd create a DNS entry for splunkLB pointing
|
|
# to the two IP addresses of your indexers:
|
|
#
|
|
# $ORIGIN example.com.
|
|
# splunkLB A 1.2.3.4
|
|
# splunkLB A 1.2.3.5
|
|
|
|
[tcpout]
|
|
defaultGroup = lb
|
|
|
|
[tcpout:lb]
|
|
server = splunkLB.example.com:4433
|
|
|
|
# Alternatively, you can autoLB sans DNS:
|
|
|
|
[tcpout]
|
|
defaultGroup = lb
|
|
|
|
[tcpout:lb]
|
|
server = 1.2.3.4:4433, 1.2.3.5:4433
|
|
|
|
|
|
# Compression
|
|
#
|
|
# This example sends compressed events to the remote indexer.
|
|
# NOTE: Compression can be enabled TCP or SSL outputs only.
|
|
# The receiver input port should also have compression enabled.
|
|
|
|
[tcpout]
|
|
server = splunkServer.example.com:4433
|
|
compressed = true
|
|
|
|
|
|
# SSL
|
|
#
|
|
# This example sends events to an indexer via SSL using splunk's
|
|
# self signed cert:
|
|
|
|
[tcpout]
|
|
server = splunkServer.example.com:4433
|
|
sslPassword = password
|
|
clientCert = $SPLUNK_HOME/etc/auth/server.pem
|
|
|
|
#
|
|
# The following example shows how to route events to syslog server
|
|
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
|
|
#
|
|
|
|
# 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing
|
|
# attribute:
|
|
[default]
|
|
TRANSFORMS-routing=errorRouting
|
|
|
|
[syslog]
|
|
TRANSFORMS-routing=syslogRouting
|
|
|
|
# 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting
|
|
# and syslogRouting rules:
|
|
[errorRouting]
|
|
REGEX=error
|
|
DEST_KEY=_SYSLOG_ROUTING
|
|
FORMAT=errorGroup
|
|
|
|
[syslogRouting]
|
|
REGEX=.
|
|
DEST_KEY=_SYSLOG_ROUTING
|
|
FORMAT=syslogGroup
|
|
|
|
# 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog
|
|
# outputs go to with servers or groups:
|
|
[syslog]
|
|
defaultGroup=everythingElseGroup
|
|
|
|
[syslog:syslogGroup]
|
|
server = 10.1.1.197:9997
|
|
|
|
[syslog:errorGroup]
|
|
server=10.1.1.200:9999
|
|
|
|
[syslog:everythingElseGroup]
|
|
server=10.1.1.250:6666
|
|
|
|
#
|
|
# Perform selective indexing and forwarding
|
|
#
|
|
# With a heavy forwarder only, you can index and store data locally, as well as
|
|
# forward the data onwards to a receiving indexer. There are two ways to do
|
|
# this:
|
|
|
|
# 1. In outputs.conf:
|
|
[tcpout]
|
|
defaultGroup = indexers
|
|
|
|
[indexAndForward]
|
|
index=true
|
|
selectiveIndexing=true
|
|
|
|
[tcpout:indexers]
|
|
server = 10.1.1.197:9997, 10.1.1.200:9997
|
|
|
|
# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
|
|
# index locally, and
|
|
_TCP_ROUTING=<target_group> for data to be forwarded.
|
|
|
|
[monitor:///var/log/messages/]
|
|
_INDEX_AND_FORWARD_ROUTING=local
|
|
|
|
[monitor:///var/log/httpd/]
|
|
_TCP_ROUTING=indexers
|
|
|