Clicky

Using the Splunk Universal Forwarder with Layer8Insight

The Layer8Insight data forwarding service can package and transmit Layer8Insight data in a variety of formats over multiple protocols.

There are situations where the Splunk Universal Forwarder is the preferred method for transmitting data from a end-user system to the Splunk Indexer.

Layer8Insight and the Splunk Universal Forwarder are easily configured to support this configuration.

One must first configure the Layer8Insight data forwarder to send data to the Splunk Universal Forwarder on the local system. The simple approach is to make the Layer8Insight data forwarder send data via localhost. The corresponding configuration details are below.

In the Layer8Insight configuration file (C:\<32-bit_PROGRAM_FILES>\OctoInsight\Layer8Insight\config.ini), set the output options as follows (note the 'Address' field)

[DataOutput#1]
DataCollectionScope=All
Protocol=TCP
DataFormat=NVP
Address=127.0.0.1
Port=8050


Now, add the following stanzas in the Splunk Universal Forwarder inputs configuration file (C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf). Note the address and port values in the stanza must match the Address and Port fields from the Layer8Insight configuration file

[tcp://127.0.0.1:8050]
sourcetype = layer8data
index = layer8
disabled = 0

You must restart both the Layer8Insight dcacSvc and the splunkforwarder Windows services for these changes to take affect after updating the configuration files. One can also log out/reboot the system.

If the changes are correctly executed, Layer8Insight data should appear in the Splunk instance as it would were the Layer8Insight data forwarder service talking directly to the Splunk Indexer.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk