¶ Overview
Artica is Splunk Universal Forwarders (UF) compliance
Universal Forwarders provide reliable, secure data collection from various sources and deliver the data to Splunk Enterprise or Splunk Cloud for indexing and analysis. There are several types of forwarders, but the most common is the universal forwarder, a small footprint agent, installed directly on an endpoint. Forwarders automatically send file-based data of any sort to the Splunk indexer. In most cases these are log events of some sort, but the files can contain any data in any format.
¶ Events and Source Types
Artica sends the following events wrapped in different sources types to Splunk Server:
- SQUID
- source:
- access.log
- sourcetype:
- artica:squid:access
- source:
- NGINX
- source:
- access.log
- error.log
- sourcetype:
- artica:nginx:access
- artica:nginx:error
- source:
- SSH
- source:
- sshd.log
- sourcetype:
- artica:ssh
- source:
- AUTH
- source:
- auth.log
- sourcetype:
- artica:auth
- source:
- FIREWALL
- source:
- firewall.log
- sourcetype:
- artica:sourcetype=artica:firewall
- source:
- SURICATA IDS
- source:
- eve.json
- sourcetype:
- artica:suricata:http (Web)
- artica:suricata:dns (Network Resolution)
- artica:suricata:tls (Certificates)
- artica:suricata:flow (Traffic)
- artica:suricata:netflow (Network Traffic)
- artica:suricata:dhcp (Network Sessions)
- artica:suricata:alert (Intrusion Detection)
- source:
- HAProxy
- source:
- haproxy.log
- sourcetype:
- artica:haproxy:http (httplog)
- artica:haproxy:tcp (tcplog)
- source:
- HACluster
- source:
- hacluster-connections.log
- sourcetype:
- artica:hacluster:http (httplog)
- artica:hacluster:tcp (tcplog)
- source:
¶ Installation
To install the Splunk Universal Forwarders go to:
- Your system menu
- Select Features
- On Featues page search by "splunk"
- Clink on the button install
¶ Setup Universarl Forward
To setup the Splunk Universal Forwarders go to:
- Your system menu
- Splunk
- Enter the Splunk server address and the Receive data port of Splunk Server
- If you use authentication on Splunk Server, enter the Username and Password
- Click Apply
If the service status is green the Universal Forwarders is ready to send data to the Splunk Server
¶ Setup Splunk Server
¶ Install Addon
- Download the add-on from Splunkbase https://splunkbase.splunk.com/app/5652/ .
- From the Splunk Web home screen, click the gear icon next to Apps.
- Click Install app from file.
- Locate the downloaded file and click Upload.
- If Splunk Enterprise prompts you to restart, do so.
- Verify that the add-on appears in the list of apps and add-ons. You can also find it on the server at
$SPLUNK_HOME/etc/apps/<Name_of_add-on>.
¶ Examples
¶ SQUID
¶ access.log
Squid saves key information about HTTP and ICP transactions in access.log. To see the Squid access.log events on Splunk Server, search by source type artica:squid:access
It possible filter the results by fields, for example you can filter the results by a specific category name, in this example we want to show all the records that contains the category name "Google", so we search by artica:squid:access category_name=Google
¶ NGINX
¶ access.log
NGINX writes information about client requests in the access log right after the request is processed. To see the NGINX access.log events on Splunk Server, search by source type artica:nginx:access
¶ error.log
NGINX writes information about encountered issues of different severity levels to the error log. To see the NGINX error.log events on Splunk Server, search by source type artica:nginx:error
¶ SSH
¶ sshd.log
To see the ssh events on Splunk Server, search by source type artica:ssh
¶ AUTH
¶ auth.log
auth.log keeps authentication events for both successful or failed logins, and authentication processes.To see the auth events on Splunk Server, search by source type artica:auth
¶ Troubleshooting
¶ Can't install Splunk Universal Forwarders
When you try install the Splunk Universal Forwarders and if the install button is disable with the message "not installed", it means that the Universal Forwarders binary is not installed on the server.
To fix this, go to:
- Your System
- Vesrions
- On versions page search by "Splunk"
- Clink on the button "Install or Upgrade"
- On popup window, select the lasted version and click again on the button "Install or Upgrade"
