Module 8: Network and Other Inputs

Question 1

What are network inputs?

Answer 1

• TCP/UDP – accept input on any port
• Network services – capture data from syslog or netcat
• Secure – accepted from hosts with correct SSL certs
• Agentless – no need for UF
• Configurations – Splunk Web, conf files and CLI commands

Question 2

What is a Splunk stream?

Answer 2

• Splunk-supported free app

* An alternative way to collect ‘difficult’ inputs

Question 3

What is a HTTP event collector?

Answer 3

• Fast and efficient – sends data over HTTPS
• Agentless monitoring – directly sends data to Splunk
• Token based – no need for credentials hard-coding
• No configuration overheads – proxies allow for HTTP communication

Question 4

How is a HEC configured?

Answer 4

• [http://TokenName] stanza in inputs.conf
• Enable globally
• Unique GUID
• Default port 8088
• Indexer acknowledgement

Question 5

What are the HEC global settings?

Answer 5

• [http] stanza contains global settings
• Disabled=true/false
• maxSockets=
• maxThreads=
• outputGroup=

Question 6

What are the HEC per-token settings?

Answer 6

• queueSize= KB|MB|GB
• persistentqueueSize=KB|MB|FB
• connection_host
• Index and indexes

Question 7

What is SC4S?

Answer 7

Splunk connect for syslog
• Looks like an app, but it’s actually a container
• Preconfigured syslog receiver and a http event log