Skip to content

Latest commit

 

History

History

README.md

Overview

This PoC uses the Splunk Universalforwarder and Heavyforwarder as the main ingesting component.

Overview

In this PoC the Universalforwarder is used to monitor the /usr/share/data/accesss.log-file on the local filesystem and output the data to the heavyforwarder. The heavyforwarder receives data from the universalforwarder and monitors the local /usr/share/data/accesss.log-file. The heavyforwarder then forwards the data to Splunk. Splunk then stores the data in the http_logs index. When searched, Splunk applies the access_combined sourcetype to extract fields.

Usage

To run the PoC simply execute the run.sh script. It will start all the docker-container and apply runtime configuration, aswell as output log messages and cleanup after you exit.

Configuration

Connectivity-configuration is handled in the docker-compose.yml. Splunk configuration is applied using apps (see apps-directory). Forwarder configuration is handled via the Forwarder-Management: Configuration is stored in apps in the deployment-apps-directory of splunk and is then automatically distributed to forwarder, according the assigned serverclasses.