Splunk universal forwarder

Splunk universal forwarder source plugin

Splunk Universal Forwarder (UF) is a lightweight data collection agent that enables you to collect data from various sources. Splunk UF provides a highly secure and reliable solution for collecting and forwarding data, with support for various input sources such as logs, metrics, and events. It can collect data from both local and remote sources and supports various protocols such as TCP, UDP, HTTP, and HTTPS. Splunk UF also provides a wide range of configuration options, letting you to customize its behavior to suit your specific needs.

You can use the Splunk UF Source Plugin to configure your Calyptia Core pipeline to collect data from your Splunk UF instances.

Configuration parameters

The Splunk UF source plugin provides these configuration parameters.

General

KeyDescription
PortTCP port used for listening for incoming messages.

Advanced

KeyDescription
FormatSet the format: json or none.
Set SeparatorSet separator.
Chunk SizeSet the chunk size for incoming messages.
Buffer SizeSet the chunk size for incoming JSON messages. These chunks are then stored and managed in the space available by buffer_size.

Security and TLS

NameKeyDescriptionDefault
TLStlsEnable or disable TLS/SSL support.none
TLS Certificate Validationtls.verifyTurn TLS/SSL certificate validation on or off. TLS must be on for this setting to be enabled.on
TLS Debug Leveltls.debugSet TLS debug verbosity level. Accepted values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational), 4 (Verbose).1
CA Certificate File Pathtls.ca_fileAbsolute path to CA certificate file.none
Certificate File Pathtls.crt_fileAbsolute path to certificate file.none
Private Key File Pathtls.key_fileAbsolute path to private key file.none
Private Key Path Passwordtls.key_passwdOptional password for tls.key_file file.none
TLS SNI Hostname Extensiontls.vhostHostname to be used for TLS SNI extension.none

Splunk Universal Forwarder configuration

[tcpout]
defaultGroup = calyptia
disabled = false

[tcpout:calyptia]
server = <CALYPTIA CORE HOST>:<PIPELINE PORT>
sendCookedData = false
negotiateProtocolLevel = 0