topic Re: Not receiving Linux logs in Getting Data In

Not receiving Linux logs

j666gak — Thu, 08 Dec 2011 14:43:32 GMT

Hello,

I am setting up a test rig, and not receiving any logs from another Linux box (please see rig details below).

Splunk Server - Fedora 15 (Latest version of Splunk)
Security Onion - Xubuntu (Universal Forwarder installed - not reporting)
Windows Desktop - XP Pro installed (Universal Forwarder installed and reporting)

I have installed the universal forwarder on the security onion machine but only gave the option to set the management port, not sure if anything else needs setting up. I am new to Linux so I am sorry if this is a newbie question.

Many Thanks
Guy

Re: Not receiving Linux logs

dmaislin_splunk — Thu, 08 Dec 2011 15:22:01 GMT

Go to the forwarder and cd to $SPLUNK_HOME/bin

Run this command: . ./setSplunkENV

That sets up the environment and puts Splunk in your path.

Next, run this command: splunk add forward-server YOURSPLUNKSERVER:9997

Restart Splunk with this command: splunk restart

On the Splunk server login to the UI and go to manager/forwarding and receiving/configure receiving
Add a new receiver and Listen on port 9997

Hopefully that should cover it.

Re: Not receiving Linux logs

Ayn — Thu, 08 Dec 2011 15:59:40 GMT

What about configuring inputs?

Re: Not receiving Linux logs

dmaislin_splunk — Thu, 08 Dec 2011 16:05:47 GMT

I made the assumption that he already had added something to the inputs.conf file on the forwarder. If not, simply download the *Nix App to the Splunk Server, configure everything and save it.

Now, on the Splunk server, go the $SPLUNK_HOME/etc/apps
From there, run: tar -czvf unix.tgz unix

Copy this file over to the forwarder and place into the $SPLUNKHOME/etc/apps directory.
From there run: tar -zxvf ./unix.tgz
Then restart the forwarder with $SPLUNK_HOME/bin/splunk restart

All would be easier with a deployment server configured, but that's another thread.

Re: Not receiving Linux logs

j666gak — Thu, 08 Dec 2011 17:02:02 GMT

Hi dmaislin_splunk,

Thank you for all of your help. When trying to run the command below I have replaced the "YOURSPLUNKSERVER" with the IP address of the Splunk server.

splunk add forward-server YOURSPLUNKSERVER:9997

However when runing the command I get either an error for permission, which there is no su password set on the security onion images. I then tried running the SUDO command and then get prompted to enter a Splunk username which I enter the admin username and password used on the web frontend which failed and then tried credentials for the account logged on to the Fedora machine which failed. Not sure which other credentials I can try?

Thanks again

Re: Not receiving Linux logs

dmaislin_splunk — Thu, 08 Dec 2011 17:11:35 GMT

Password on the forwarders was never changed. It is most likely:

admin
changeme

Re: Not receiving Linux logs

tonopahtaos — Thu, 26 Apr 2012 21:52:42 GMT

This is very helpful.

Re: Not receiving Linux logs

tonopahtaos — Thu, 26 Apr 2012 22:10:14 GMT

The password for admin is always ‘changeme’ regardless the real password in indexer is. This means people can easily do an attack against a real splunk indexer with lots of junk data. Of course, such person needs a machine access insider such company.