topic Re: Universal Forwarder with Sysmon not forwarding Correctly in Getting Data In

Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Fri, 14 Jul 2017 03:18:12 GMT

Hi,

I'm trying to study the activities of some Malware thus I created the following environment using virtualbox. But I could not get the forwarder to work correctly. I could only get 1 event when I reboot guest 2. Did I miss out some other configurations?

Host

**
Disable VirtualBox Host-Only Network so that Guest and Host could not ping each other but Guest can guest to guest.

Guest 1:

**
IE8WIN7, SP1, IE Version 8.0.7601.17514
Network: Nat Network
IP: 10.0.2.15
Installed Splunk Enterprise
Open port 9998 to receive events (set up at http://localhost:8000/en-US/manager/search/data/inputs/tcp/cooked)
Set Firewall to allow inbound and outbound 10.0.2.4 and port 9998.

Guest 2:

**
IE8WIN7, SP1, IE Version 8.0.7601.17514
IP: 10.0.2.4
Installed Splunk Universal Forwarder
Install sysmon via CLI "sysmon -i -n -accepteula"
Added the following into universal forwarder input.conf

"[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true"

Set Firewall to allow inbound and outbound 10.0.2.15 and port 9998.

I only got 1 event after Guest 2 reboots. After that, no matter what programs I open in Guest 2, there is no events seens from Guest 1.

Re: Universal Forwarder with Sysmon not forwarding Correctly

hardikJsheth — Fri, 14 Jul 2017 06:00:05 GMT

What you need to do is enable receiving on your guest 1. For login to Guest 1 splunk web ui, go to Settings --> Forwarding And Receiving and configure receiving.

On Guest 2 where you have installed universal forwarder, add outputs.conf entry to enable UF to forward data to Splunk Enterprise server.

[tcpout:eis_clustered_indexers]
server = ip_address:port

Re: Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Fri, 14 Jul 2017 07:55:32 GMT

Hi hardikJsheth,

My guest 1 was configured to listen on port 9997. Do I need to do anything on "Configure Forwarding"?

My guest 2 universal forwarder output.conf default with the following:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.0.2.4:9997

[tcpout-server://10.0.2.4:9997]

I just appended the following below:

 [tcpout:eis_clustered_indexers]
 [tcpout-server://10.0.2.4:9998]

Results: No results.

Re: Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Mon, 17 Jul 2017 15:09:50 GMT

I have uninstall and reinstall universal forwarder without indicating deployment server and receiving information.
I then tried to follow the instructions at https://answers.splunk.com/answers/126122/no-available-server-list-on-opt-splunkforwarder-bin-splunk-list-forward-server.html

I went to check my Guest 1, and still nothing from Guest B... I reboot Guest B and it seems that I have also lost the initial event that I saw previously (in first post).

I went to check C:\Program Files\SplunkUniversalForwarder\etc\system\local
my input.conf and output.conf are as below:

input.conf

[default]
host = IE8Win7

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true

output.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.0.2.4:9997

Re: Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Tue, 18 Jul 2017 02:24:39 GMT

Do I just need to set allow TCP port 9997 (local and remote) in outbound rule in guest 1 and set allow TCP port 9997 (local and remote) in outbound rule in guest 2?
Do I actually need to set allow IP 10.0.2.4 (local and remote) in outbound rule in Guest 1 and set allow IP 10.0.2.15 (local and remote) in outbound rule in Guest 2?

Re: Universal Forwarder with Sysmon not forwarding Correctly

hardikJsheth — Tue, 18 Jul 2017 05:41:02 GMT

You are sending data from Guest 2 to Guest 1 on 9997. You need to enable inbound traffic on guest 1 for port 9997 and outbound traffic on guest 2 to 9997.

Re: Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Tue, 18 Jul 2017 06:00:46 GMT

Hi, I tried enable inbound traffic on guest 1 for port 9997 TCP and UDP and outbound traffic on guest 2 to 9997 TCP and UDP but still no data..

Re: Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Tue, 18 Jul 2017 15:31:09 GMT

I saw the following msg in splunkd.log on guest1.
ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-Sysmon/Operational'

Does this mean guest2 has forworded something over to guest1 but still can't find event log?

Re: Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Wed, 19 Jul 2017 04:38:53 GMT

I tried the cmd "splunk list forward-server" in SplunkUniversalForwarder/bin to check the connection, after entering my userId and password, it just came back to DOS and shows nothing. I have another VMWare using vmnet8 adapter and I was able to forward my sysmon out. The cmd "splunk list forward-server" was able to see active connections. What could possibility be the issue? Virtualbox incompatible issue??

Re: Universal Forwarder with Sysmon not forwarding Correctly

wuming79 — Sat, 22 Jul 2017 08:13:58 GMT

Just for record since I didn't find any answers on this subject yet.
The reason why splunk list forward-server was because my cmd was not executed as administration.
When I executed as administrated, I could see my IP and port configured and active.

Now the issue again...so list forward-server listed my ip port as configured and active and I had allow the ports to communicate between the 2 guest, why didn't the data came in?

Re: Universal Forwarder with Sysmon not forwarding Correctly

Phrack — Tue, 29 Sep 2020 22:50:59 GMT

Not trying to revive a dead post, however if others are facing the same problem. Check the name of the .conf files created. You listed your files as input.conf and output.conf. The correct file name is input*s.conf and outputs*.conf.

Fix the file name and you probably would have your problem solved.

,Don't want to revive a dead post, however you may have had issues with the names of your .conf files. You listed them as input.conf and output.conf NOT input*s.conf and outputs*.conf