SC4S Configuration Tool¶
The SC4S Configuration Tool is an interactive shell script that generates an optimized env_file for Splunk Connect for Syslog. Instead of manually editing environment variables, you answer a series of prompts and the tool produces a ready-to-deploy configuration file.
Prerequisites¶
- A running shell environment (bash or sh)
- Your need to know your Splunk HEC URL and token
Quick start¶
Run the tool from the root of the SC4S repository:
sh ./configuration-tool.sh
The tool walks you through each configuration section and writes the result to an env_file (or a filename you choose). A review step is shown before anything is written to disk.
Command-line options¶
| Option | Description |
|---|---|
-h, --help |
Show help message |
-o, --output |
Set the output filename (default: env_file) |
Example:
sh ./configuration-tool.sh -o my_sc4s_config
Configuration modes¶
Mode 1: Custom configuration¶
Step-by-step interactive mode where you control every setting. This is the default when you run the tool.
The tool prompts you through the following sections in order:
- Splunk HEC — URL, token, and TLS verification
- Protocol selection — UDP only, TCP only, or both
- Advanced UDP options — fetch limit, listen sockets, receive buffer, eBPF, window size
- Advanced TCP options — receive buffer, parallelization, window size
- Disk buffer — enable/disable, reliable vs normal mode, memory and disk buffer sizes
Mode 2: Hardware-based configuration¶
Auto-tuned mode that selects performance settings based on your hardware profile and expected events per second (EPS). You only need to provide:
- Hardware profile — select the instance type closest to your environment
- Expected EPS — your anticipated event throughput
- Protocol — UDP, TCP, or both
- Splunk HEC — URL, token, and TLS verification
The tool applies optimized defaults based on these inputs. See Hardware profiles for the available profiles.
Configuration sections¶
Splunk HEC¶
| Setting | Description | Example |
|---|---|---|
| HEC URL | The URL of your Splunk HTTP Event Collector endpoint | https://splunk.example.com:8088 |
| HEC Token | A valid HEC token in UUID format | 00000000-0000-0000-0000-000000000000 |
| TLS Verify | Whether to verify SSL/TLS certificates (default: yes) | yes or no |
Both the URL and token are validated before proceeding.
Protocol selection¶
| Option | Description |
|---|---|
| UDP only | Faster throughput, but messages may be lost under heavy load |
| TCP only | Reliable delivery with guaranteed ordering |
| Both | Optimize for both UDP and TCP |
Choose based on your data sources and reliability requirements. See Protocol selection guidance for help deciding.
Advanced options¶
These options appear after protocol is selected. For the full list of UDP-related environment variables and their defaults, see the Configuration reference.
Hardware profiles¶
In hardware-based mode, the tool uses predefined profiles to automatically select performance settings appropriate for your infrastructure. Instead of manually tuning each parameter, you select the profile that most closely matches your environment and provide your expected events per second (EPS). The tool then determines which optimizations to apply — such as receive buffer sizes, eBPF, parallelization, and socket counts — based on the combination of hardware capacity and throughput requirements.
The available profiles are:
| Profile | Specs | Example instance |
|---|---|---|
| Large | 16 vCPUs, 64 GB RAM | AWS m5.4xlarge |
| Medium | 8 vCPUs, 32 GB RAM | AWS m5.2xlarge |
| Small | 4 vCPUs, 16 GB RAM | AWS m5.xlarge |
Select the profile closest to your deployment hardware. If your EPS is below the tuning threshold for the selected profile, default settings are used and no additional performance optimizations are applied.
For details on the individual settings that may be tuned, see the Configuration reference and Fine-tuning SC4S.
Output¶
The tool generates an env_file with contents similar to:
# SC4S Configuration - Generated by configuration tool
# Mode: Hardware-based (8vCPUs)
# Expected EPS: 30000
# Protocol: udp
# Generated on: Thu Mar 5 12:00:00 UTC 2026
# === Splunk HEC Configuration ===
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://splunk.example.com:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=12345678-1234-1234-1234-123456789abc
# === Performance Configuration ===
SC4S_SOURCE_UDP_FETCH_LIMIT=1000000
SC4S_SOURCE_LISTEN_UDP_SOCKETS=32
SC4S_ENABLE_EBPF=yes
SC4S_EBPF_NO_SOCKETS=16
Before writing, the tool displays the full configuration for review and asks for confirmation.
Post-configuration steps¶
After generating your env_file:
-
Copy the file to your SC4S deployment directory (typically
/opt/sc4s/env_file). -
Follow the recommendations displayed by the tool after generation. Depending on your chosen settings, the tool may print additional steps such as OS-level tuning or permission requirements.
-
Restart SC4S to apply the new configuration.
-
Run performance tests to validate your setup. See Performance tests for instructions.
Testing the generated configuration¶
You can verify the generated configuration works by running SC4S and sending test events:
# Test with TCP
echo "Hello SC4S TCP test" | nc <sc4s_host> 514
# Test with UDP
echo "Hello SC4S UDP test" | nc -u <sc4s_host> 514
Confirm the events appear in Splunk by searching:
index=* "Hello SC4S"
Further reading¶
- Performance tests for benchmarking your deployment.
- Fine-tuning SC4S for detailed guidance on individual performance settings.
- Configuration reference for the full list of SC4S environment variables.
- Architecture overview for protocol selection guidance.