This guide walks you through installing Monitoring Linux end-to-end: configuring the Splunk app and HTTP Event Collector, then installing Collectord on your Linux host as a systemd service to forward host logs (syslog, journald), host metrics, and process metrics. A typical install takes under 10 minutes. If you don’t have a license yet, you can request a 30-day evaluation.
Install the Monitoring Linux application
Install Monitoring Linux from Splunkbase on your Search Heads only.
If you’re using a dedicated index that isn’t searchable by default, update the macro_linux_base macro to include it:
1macro_linux_base = (index=linux)Enable HTTP Event Collector in Splunk
Collectord forwards data to Splunk over the HTTP Event Collector (HEC). If HEC isn’t enabled yet, follow Splunk’s HTTP Event Collector walkthrough.
The minimum requirement is Splunk Enterprise or Splunk Cloud 6.5. If you’re managing Splunk Clusters older than 6.5, see our FAQ on setting up a Heavy Weight Forwarder in between.
Once HEC is enabled, you need two pieces of information for the rest of this guide: the HEC endpoint URL and an HEC token. You can verify both with curl:
1$ curl -k https://hec.example.com:8088/services/collector/event/1.0 -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
2{"text": "Success", "code": 0}
-kskips certificate validation; use it only for self-signed certificates.
Splunk Cloud uses a different HEC URL than Splunk Web — see Send data to HTTP Event Collector on Splunk Cloud instances.
Install Collectord for Linux
Download collectorforlinux.tar.gz and extract it into /opt/collectorforlinux. The archive contains builds for both amd64 and aarch64 architectures.
1sudo curl -O /docs/monitoring-linux/builds/5.21.410/collectorforlinux.tar.gz -o /tmp/collectorforlinux.tar.gz
2sudo mkdir -p /opt/collectorforlinux
3sudo tar -xvf /tmp/collectorforlinux.tar.gz -C /opt/collectorforlinuxOpen /opt/collectorforlinux/etc/002-user.conf with your editor:
1sudo edit /opt/collectorforlinux/etc/002-user.confThis file holds your overrides for the Collectord defaults. The full default configuration lives in /opt/collectorforlinux/etc/002-general.conf — refer to it when you need to know what options exist.
In 002-user.conf, set the Splunk HEC URL and token, review and accept the license agreement, and paste in your license key (request an evaluation key with this automated form). Naming the cluster is optional but useful when you’re monitoring more than one host group and want to filter by cluster in the app.
1[general]
2acceptLicense = true
3license = ...
4fields.linux_cluster = dev
5
6[output.splunk]
7url = https://hec.example.com:8088/services/collector/event/1.0
8token = B5A79AAD-D822-46CC-80D1-819F80D7BFB0
9insecure = trueYou can run collectorforlinux directly from the terminal to confirm the configuration is valid:
1sudo /opt/collectorforlinux/bin/collectorforlinuxInstall the collectorforlinux service with systemd
The package ships a systemd unit you can link with systemctl and run as a background daemon:
1sudo systemctl link /opt/collectorforlinux/bin/collectorforlinux.service
2sudo systemctl daemon-reload
3sudo systemctl enable collectorforlinux
4sudo systemctl start collectorforlinuxTail the logs to confirm Collectord is running:
1sudo journalctl -fu collectorforlinuxNext steps
- Review the predefined alerts and enable the ones relevant to your environment.
- If something looks off, work through the troubleshooting checks.
- Configure log forwarding from custom locations beyond
/var/logand journald.