# Splunk Configuration Template # This file provides a template for configuring Splunk to collect and index logs. # It includes examples for various log sources and configurations. # Please review and modify this file according to your specific environment and requirements. # ============================================================================== # Global Settings # ============================================================================== [default] host = # Replace with the actual hostname of the Splunk instance # ============================================================================== # Input Configuration: System Logs (Syslog) # ============================================================================== # Configure a UDP input for receiving syslog messages. # Ensure your syslog daemon is configured to forward logs to this Splunk instance. [udp://514] connection_host = ip sourcetype = syslog index = main # Change if you want to index into a different index disabled = false # ============================================================================== # Input Configuration: File Monitoring (Tail) # ============================================================================== # Monitor a specific log file. Useful for application logs. # Adjust the path and sourcetype accordingly. [monitor:///var/log//.log] sourcetype = _log index = main # Change if you want to index into a different index disabled = false # Optional: Multiline event breaking (if needed) # MUST_BREAK_AFTER = ^\d{4}-\d{2}-\d{2} # ============================================================================== # Input Configuration: Windows Event Logs (Windows) # ============================================================================== # Configure Splunk to collect Windows Event Logs. # Adjust the event logs to monitor as needed. [WinEventLog://Application] disabled = false index = wineventlog sourcetype = WinEventLog:Application # Optional: Filter events by event code # evt_resolve_ad_obj = 1 # Resolve AD objects # whitelist = 4624,4625 # Example: Only collect events with ID 4624 and 4625 [WinEventLog://System] disabled = false index = wineventlog sourcetype = WinEventLog:System [WinEventLog://Security] disabled = false index = wineventlog sourcetype = WinEventLog:Security # IMPORTANT: Consider the volume of security logs and storage implications. # ============================================================================== # Input Configuration: Scripted Input (Example: CPU Utilization) # ============================================================================== # Example of a scripted input to collect CPU utilization. # Requires a script (e.g., cpu_utilization.sh or cpu_utilization.ps1) # that outputs the CPU utilization in a structured format (e.g., CSV, JSON). [script://$SPLUNK_HOME/etc/apps//bin/cpu_utilization.sh] interval = 60 # Run every 60 seconds sourcetype = cpu_utilization index = metrics # Consider a dedicated metrics index disabled = false # ============================================================================== # Transformations (Optional) # ============================================================================== # Use transformations to modify events before they are indexed. # Example: Masking sensitive data. # [transform-null] # REGEX = (.*).* # DEST_KEY = _raw # FORMAT = $1MASKED # ============================================================================== # Index Configuration (Optional) # ============================================================================== # Configure index-specific settings. # [] # homePath = $SPLUNK_DB//db # coldPath = $SPLUNK_DB//colddb # thawedPath = $SPLUNK_DB//thaweddb # maxDataSize = auto # frozenTimePeriodInSecs = 90d # 90 days retention # ============================================================================== # Notes # ============================================================================== # * Replace placeholders with actual values. # * Ensure proper permissions are set for log files and scripts. # * Test configurations thoroughly before deploying to production. # * Consider using Splunk's monitoring console for health checks and troubleshooting. # * Review Splunk documentation for detailed information on configuration options.