Deployment Architecture

How can I monitor logs from a WAN?

jbosano
Engager

I want to monitor logs on a remote computer (on the wan)

I would like to forward the logs in order to watch them on my local computer.

How can I do?

0 Karma

earlhelms
Path Finder

Your terminology could use some work. Traffic in a WAN is no less routable than traffic in a LAN.

0 Karma

mattymo
Splunk Employee
Splunk Employee

This comes down to networking.

In order for a remote computer running a forwarder (or doing anything else for that matter) to reach your local LAN ( I will assume the local computer is on your home network for the sake of this example) you should look into something like dyndns, which will allow your ever changing home internet IP to be reachable.

Once you have done that, you will need to set port forwarding rules in your home router/firewall, to allow traffic to enter your network over 9997 (or whatever port you wish to serve), and you will want to ensure you use SSL on that forwarder connection for secure data transfer.

ie. the WAN UF will send traffic to jbosano.dyndns.org:9997, which will hit your home router, then router will turnaround and forward that traffic to 192.168.1.10 (your local computer address, just an example).

I run a very similar setup in my home lab and as long as you get the networking right, this will work nicely.

Once the networking is complete, you just need to ensure the forwarder is configured correctly.

http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Aboutsecuringdatafromforwarders

- MattyMo

jbosano
Engager

Thank you for your answer, I thought about the same solution as the one you brought me.

But actually I think there is a splunk server where we can forward logs into, and analyse it directly from one computer. For configuring port forwarding rules on each routeur is too complicate.

Have you heard about how to forward logs on splunk server, in a unique admin account?

0 Karma

mattymo
Splunk Employee
Splunk Employee

I'm not sure what you mean???

The forwarder on the remote computer(s), will forward the logs to the Splunk server you are running at home. Then you can search all the remote computer logs on the one server you are running at home.

The only router you need to configure is the one sitting in front of your splunk server.

- MattyMo
0 Karma

jbosano
Engager

Okay thank you I got it. Can I know exactly about "forward-server", it is the remote computer that hold the logs? and search-server, is it the home server that will receive every logs?

0 Karma

mattymo
Splunk Employee
Splunk Employee

Protip: ./splunk help command is a great resource!

Many of us have opined that the term forward-server can be misleading, but as the help command shows, it will display the machines that the forwarder is sending data to. In your case, your home computer should show up as an active forward.

[splunker@n00bserver bin]$ ./splunk help list forward-server

list servers that this server forwards data to

[splunker@n00bserver bin]$ ./splunk list forward-server
Active forwards:
    None
Configured but inactive forwards:
    None
[splunker@n00bserver bin]$ 
- MattyMo
0 Karma

jbosano
Engager

can I test in on a local network? If I put a private IP, it didn't work for me, I would like to know if it works in theory, in order to know if I can test it on a private network or if I have to make a test on an internet public IP

0 Karma

mattymo
Splunk Employee
Splunk Employee

You can absolutely test on the private network.

Just ensure that the IP that you configure is reachable from the computer running the forwarder, and ensure the Splunk Enterprise instance that you are forwarding to has the correct receiver port open.

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata

- MattyMo
0 Karma

jbosano
Engager

I think I have to type: splunk add search-server
isn't it?

0 Karma

jbosano
Engager

is it tcp or UDP?

0 Karma

mattymo
Splunk Employee
Splunk Employee

it is tcp 9997, but you can choose whatever.

I just configure outputs.conf to set it up, but yes you can do it from the cli like that

http://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/Configuretheuniversalforwarder

- MattyMo
0 Karma

jbosano
Engager

Here is my project:

From one server, I would like to follow logs, watching for "error" keyword. On computers that are over the internet.

I know how to monitor folders, I know how too look for keywords on the logs, but only on my local computer, when I try to forward logs to my local computers, with the CLI (splunk add search-server ...) I get the "error occured: error while sending public key to search peer: Connection closed by peer)

0 Karma

adonio
Ultra Champion

what kind of logs are you interested in?
you can install a forwarder on your target computer and configure its inputs to capture relevant data.
configure the forwarder to send data to splunk
read here for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/WhatSplunkcanmonitor
hope it helps

0 Karma

jbosano
Engager

-My local computer is a Windows 10 Pro x64,
-The remote computer is the same operating system as the local computer,
-The network between them is the internet.
- I installed the universal forwarder on the remote computer.
- I have the Splunk Entreprise on the local computer

All I have found is the command on the CLI which is on the powershell: .\splunk add forward-server with IP and the port.

I just don't understand how it works unfortunately

0 Karma

darrenfuller
Contributor

Not enough information to proceed.

What operating system is your local computer?
What operating system is the remote computer?
What is the network between them? Internet? Company WAN?

Where is there a forwarder installed? local computer? remote computer?

Where is Splunk installed...? is that on the local computer?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...