How Do I Setup Syslog connect to Splunk Cloud by using Universal Forwarder?

This article applies to all MetaDefender Core releases deployed on Linux systems.

This KB, I will provide the guideline to setup integrate with Splunk Cloud. Splunk Cloud requires Universal Forwarder, therefore, we need to setup Universal Forwarder first. In this KB I am using RedHat 9.2 (Plow) to setup so the command in this KB will be runned on RedHat and package system should be RPM.

HTML
Copy

1 - Install Universal Forwarder

In your Splunk Instance, you can select this to setup Universal Forwarder

Then, you can follow this Splunk instruction to setup

After downloading the installer and credential files as shown in the screenshot below, you can proceed with setting up the Splunk Universal Forwarder.

  • Installer file: splunkforwarder-10.0.0-e8eb0c4654f8.x86_64.rpm
  • Credential file: splunkclouduf.spl

Install the Splunk Universal Forwarder using the following command:

Step 1: Create the Splunk user and group.

HTML
Copy

Step 2: Install the Splunk software, as described in the installation instructions for your platform in Installation instructions. Create the $SPLUNK_HOME directory wherever desired.

HTML
Copy

Step 3: Running command to install package.

HTML
Copy

The output should be

HTML
Copy

Step 4: Run the chown command to change the ownership of the Splunk directory and all its contents to the user that will run the Splunk software.

Step 5: run the command below to start

HTML
Copy

or this command

HTML
Copy

You will be prompted to create a new administrator username and password. After entering the required information, you should see the following output:

HTML
Copy

To verify, you can run this command below

HTML
Copy

The output should be:

HTML
Copy

2 - Install the forwarder credentials

To install the forwarder credentials, run the following command:

HTML
Copy

It will prompt you for the username and password you set during the Splunk Forwarder installation.

Once completed, you should see an output confirming the action, followed by a prompt to restart Splunk.

HTML
Copy

To restart Splunk, you can run this command

HTML
Copy

The output should be

HTML
Copy

To configure Splunk to listen for syslog, create the file /opt/splunkforwarder/etc/system/local/inputs.conf and add the following settings:

HTML
Copy

To verify whether the Splunk Universal Forwarder (UF) port is open, you can use the following command:

HTML
Copy

3 - Integrate MD Core syslog with Splunk Universal Forwarder.

If you are using MD Core on Linux (Red Hat, Ubuntu, or Debian), you can configure syslog by adding the settings below to the /etc/ometascan/ometascan.conf file.

These settings should be placed directly beneath the [logger] section.

HTML
Copy

For example

HTML
Copy

Then, restart MD Core service.

HTML
Copy

Now, go back to your Splunk instance and search for "syslog" — you should see entries related to MD Core appearing there.

If Further Assistance is required, please proceed to log a support case or chatting with our support engineer.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard