Partners Blog Contacts

Enabling the Splunk Forwarder

If your organization is using the Vidyo-hosted Splunk server, you can automatically forward your VidyoRoom logs to that server once you provide the hostname and index. The other fields are automatically populated with default values if left empty.

In order for the Splunk forwarder to work correctly, your VidyoRoom system hostname must be set to a unique value and the index provided in the Index field must match the index on the Splunk server. Additionally, if ‘vr’ is entered in the Hostname field in the Settings > Network section, then the Splunk forwarder settings will not be saved. A pop-up will appear alerting you of this issue as follows:



For information about how to set the hostname, see Configuring the Network Settings.

 

Caution: You understand and acknowledge that Splunk forwarder is a third party software and Vidyo will have no liability for any failures, corruption or loss of data and/or information caused to your devices or systems as a result of the implementation or use of Splunk forwarder by you.

By enabling this feature, you are warranting that you have permission to use the Splunk Enterprise instance which listens at the configured IP address and you agree to assume all risks and all costs associated with your use of any Splunk software or service.

Further, you understand that unauthorized access to the Splunk Enterprise system may allow unauthorized actors to gather metadata (participant lists, time/date, phone numbers, etc.) about conferences in which your VidyoRoom systems have participated. This feature is being provided on an “AS IS” and “AS AVAILABLE” basis and Vidyo is not obligated to provide any maintenance, technical or other support for any Splunk software or service.



The following sourcetypes are used when setting up the Splunk forwarder:

  • WinEventLog:System
  • WinEventLog:Application
  • WinEventLog:Security
  • WinEventLog:Setup
  • exception
  • exchange
  • googlecalendar
  • installer
  • patch
  • ui
  • vidyodesktop
    The vidyodesktop sourcetype requires additional changes to the props.conf file on the Splunk server. Make direct changes to the file or use the Splunk Server UI as follows:
    • MAX_TIMESTAMP_LOOKAHEAD = 20
    • NO_BINARY_CHECK = true
    • TIME_FORMAT = %m-%d %H:%M:%S.%3N
    • Category = Custom
    • Pulldown_type = 1
      Restart Splunk or use debug refresh if making direct changes to the props.conf file.

 

The creation of the vidyodesktop sourcetype on the Splunk server must be done before starting a Splunk forwarder. If this is not done, the events from the vidyodesktop sourcetype may have incorrect time extraction. The other sourcetypes can be auto-created by Splunk and everything will work seamlessly.

If any of these sourcetypes have been configured already on the Splunk server, the Splunk server may extract or index in the information in an unexpected manner. For example, if the TIME_FORMAT for the sourcetype does not match the time format of the file we are monitoring, the time may be extracted incorrectly. Currently, we do not have an option for the user to be able to customize the name of the sourcetype on the Splunk forwarder.

Lastly, delete any older log files prior to enabling the Splunk forwarder; otherwise, there will be a delay in syncing new log files with the server.



To enable the Splunk forwarder:

  1. Click the Logs tab.



  2. Click the blue triangle next to the words Splunk Forwarder to view the Splunk Forwarder settings if needed.

  3. Select the Enable Splunk Forwarder checkbox.

    The Splunk Forwarder pop-up appears.



  4. Click Ok.

  5. Enter an index of the Splunk Server in the Index field, which is where your logs will be sent for analysis.

    For more information about who to properly configure the values for your Splunk forwarder, refer to the Splunk documentation at http://docs.splunk.com/Documentation/Forwarder/6.4.3/Forwarder/Configuretheuniversalforwarder.

  6. Enter the IP address or the hostname of the Splunk server in the Server Address field.

  7. Enter the listening port of the Splunk Server in the Server Port field.

  8. Select the Enable SSL checkbox if you want to encrypt the log data that you are sending to the server.

  9. Enter the password for the RSA private key contained in the server certificate file in the Certificate Password field.

    Vidyo recommends that you do not upload your own certificate files if you are using our Splunk server.

     

  10. Upload a new root Certificate Authority file if necessary:

    • Click Choose File and choose the .crt file that you want to upload.
    • Click Upload Root CA.

  11. Upload a new Certificate file if necessary:

    • Click Choose File and choose the .pem file that you want to upload.
    • Click Upload Certificate.

  12. Click the Generate Diag File button if Splunk forwarder issues arise.

    The dialog file appears in the Log File List section with a .tar.gz extension for you to download. This file will help you trouleshoot any Splunk forwarder issues. For information about how to download log files, see Setting the Log Levels and Accessing the Log Files. You can click the Delete Diag File button to delete the dialog file from the system if necessary.

  13. Click Save.


Modifying the Splunk Forwarder Defaults

If the Splunk forwarder is enabled and you want to send logs to the Splunk server, the hostname and index must be provided. The other fields are automatically populated with default values if left empty. If your organization has its own Splunk server deployed, you can modify these default values by clicking the Modify Defaults button. The Modify Defaults button becomes disabled after the Save button is clicked.

In order for the Splunk forwarder to work correctly, your VidyoRoom system hostname must be set to a unique value and the index provided in the Index field must match the index on the Splunk server. Additionally, if ‘vr’ is entered in the Hostname field in the Settings > Network section, then the Splunk forwarder settings will not be saved. A pop-up will appear alerting you of this issue as follows:



For information about how to set the hostname, see Configuring the Network Settings.

To modify the Splunk forwarder defaults:

  1. Click the Logs tab.



  2. Click the blue triangle next to the words Splunk Forwarder to view the Splunk Forwarder settings if necessary.

  3. Click the Modify Defaults button.

    The Splunk Forwarder pop-up appears.



  4. Click Ok.

    The fields become active.

  5. Modify the appropriate fields as necessary.

    For information about how to configure these fields, see the Enabling the Splunk Forwarder section above.

  6. Click Save.
Was this article helpful?
0 out of 0 found this helpful

0 Comments

Follow
Please sign in to leave a comment.