Splunk universal forwarder source plugin
Splunk Universal Forwarder (UF) is a lightweight data collection agent that enables you to collect data from various sources. Splunk UF provides a highly secure and reliable solution for collecting and forwarding data, with support for various input sources such as logs, metrics, and events. It can collect data from both local and remote sources and supports various protocols such as TCP, UDP, HTTP, and HTTPS. Splunk UF also provides a wide range of configuration options, letting you to customize its behavior to suit your specific needs.
You can use the Splunk UF Source Plugin to configure your Calyptia Core pipeline to collect data from your Splunk UF instances.
Configuration parameters
The Splunk UF source plugin provides these configuration parameters.
General
| Key | Description |
|---|---|
| Port | TCP port used for listening for incoming messages. |
Advanced
| Key | Description |
|---|---|
| Format | Set the format: json or none. |
| Set Separator | Set separator. |
| Chunk Size | Set the chunk size for incoming messages. |
| Buffer Size | Set the chunk size for incoming JSON messages. These chunks are then stored and managed in the space available by buffer_size. |
Security and TLS
| Key | Description |
|---|---|
| TLS | Enable or disable TLS/SSL support. |
| TLS Certificate Validation | Turn TLS/SSL certificate validation on or off. TLS must be on for this setting to be enabled. |
| TLS Debug Level | Set TLS debug verbosity level. Accepted values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational), 4 (Verbose). |
| CA Certificate File Path | Absolute path to CA certificate file. |
| Certificate File Path | Absolute path to certificate file. |
| Private key File Path | Absolute path to private key file. |
| Private Key Path Password | Optional password for tls.key_file file. |
| TLS SNI Hostname Extension | Hostname to be used for TLS SNI extension. |
Splunk Universal Forwarder configuration
[tcpout]
defaultGroup = calyptia
disabled = false
[tcpout:calyptia]
server = <CALYPTIA CORE HOST>:<PIPELINE PORT>
sendCookedData = false
negotiateProtocolLevel = 0