This TA is deployed on Forwarders, Indexers and Search Heads.
This TA can be deployed to the indexer without any further changes. It is recommended to create a new index called cacti. An indexes.conf file is not included with this TA.
Install and Deploy the app to the search head.
On the search head, the add-on will provide:
- search time extractions, lookups, macros and event types
To complete the install, you will need to update the follow:
- macros.conf
- cacti_index: replace index=* with the appropriate index
To complete the ingestion of data, deploy the Splunk_TA_Cacti to the forwarder installed on the same host as your Cacti implementation. If you have multiple installs, you can deploy it across multiple Cacti servers.
For this add-on to work, you will need to have installed the Cacti Mirage plugin to the Cacti servers. In addition, you will need the following information:
- Path to Cacti install (i.e. /var/www/html/cacti or /usr/share/lib/cacti)
- Path to mirage_poller_output.log (i.e /var/www/html/cacti/log/mirage_poller_output.log)
- Index to send data to (either default or index=cacti, etc)
For deploying the add-on, copy the following files from the default directory to the local directory.
- inputs.conf
Edit the local/inputs.conf file and make the following changes:
- enable all inputs stanzas: change disabled = true to disabled = false
- modify all stanzas to reflect the appropriate destination index (i.e. index=cacti)
- [monitor:///usr/share/cacti/log/mirage_poller_output.log]
- Set to the correct path to the mirage_poller_output.log file. This file is generated by the Cacti Mirage plugin
- [monitor:///usr/share/cacti/log/cacti.log]
- Set to the correct path to the cacti.log file, which is most likely in the log/ folder inside the Cacti install.
- [script://./bin/cacti_lookup_mirage.py /usr/share/cacti]
- Change /usr/share/cacti to the folder where you installed Cacti
Copyright 2016 Matthew Modestino, Philippe Tang, Menno Vanderlist