I want to monitor logs on a remote computer (on the wan)
I would like to forward the logs in order to watch them on my local computer.
How can I do?
Your terminology could use some work. Traffic in a WAN is no less routable than traffic in a LAN.
This comes down to networking.
In order for a remote computer running a forwarder (or doing anything else for that matter) to reach your local LAN ( I will assume the local computer is on your home network for the sake of this example) you should look into something like dyndns, which will allow your ever changing home internet IP to be reachable.
Once you have done that, you will need to set port forwarding rules in your home router/firewall, to allow traffic to enter your network over 9997 (or whatever port you wish to serve), and you will want to ensure you use SSL on that forwarder connection for secure data transfer.
ie. the WAN UF will send traffic to jbosano.dyndns.org:9997, which will hit your home router, then router will turnaround and forward that traffic to 192.168.1.10 (your local computer address, just an example).
I run a very similar setup in my home lab and as long as you get the networking right, this will work nicely.
Once the networking is complete, you just need to ensure the forwarder is configured correctly.
http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Aboutsecuringdatafromforwarders
Thank you for your answer, I thought about the same solution as the one you brought me.
But actually I think there is a splunk server where we can forward logs into, and analyse it directly from one computer. For configuring port forwarding rules on each routeur is too complicate.
Have you heard about how to forward logs on splunk server, in a unique admin account?
I'm not sure what you mean???
The forwarder on the remote computer(s), will forward the logs to the Splunk server you are running at home. Then you can search all the remote computer logs on the one server you are running at home.
The only router you need to configure is the one sitting in front of your splunk server.
Okay thank you I got it. Can I know exactly about "forward-server", it is the remote computer that hold the logs? and search-server, is it the home server that will receive every logs?
Protip: ./splunk help
command is a great resource!
Many of us have opined that the term forward-server
can be misleading, but as the help command shows, it will display the machines that the forwarder is sending data to. In your case, your home computer should show up as an active forward.
[splunker@n00bserver bin]$ ./splunk help list forward-server
list servers that this server forwards data to
[splunker@n00bserver bin]$ ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
None
[splunker@n00bserver bin]$
can I test in on a local network? If I put a private IP, it didn't work for me, I would like to know if it works in theory, in order to know if I can test it on a private network or if I have to make a test on an internet public IP
You can absolutely test on the private network.
Just ensure that the IP that you configure is reachable from the computer running the forwarder, and ensure the Splunk Enterprise instance that you are forwarding to has the correct receiver port open.
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata
I think I have to type: splunk add search-server
isn't it?
is it tcp or UDP?
it is tcp 9997, but you can choose whatever.
I just configure outputs.conf to set it up, but yes you can do it from the cli like that
http://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/Configuretheuniversalforwarder
Here is my project:
From one server, I would like to follow logs, watching for "error" keyword. On computers that are over the internet.
I know how to monitor folders, I know how too look for keywords on the logs, but only on my local computer, when I try to forward logs to my local computers, with the CLI (splunk add search-server ...) I get the "error occured: error while sending public key to search peer: Connection closed by peer)
what kind of logs are you interested in?
you can install a forwarder on your target computer and configure its inputs to capture relevant data.
configure the forwarder to send data to splunk
read here for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/WhatSplunkcanmonitor
hope it helps
-My local computer is a Windows 10 Pro x64,
-The remote computer is the same operating system as the local computer,
-The network between them is the internet.
- I installed the universal forwarder on the remote computer.
- I have the Splunk Entreprise on the local computer
All I have found is the command on the CLI which is on the powershell: .\splunk add forward-server with IP and the port.
I just don't understand how it works unfortunately
Not enough information to proceed.
What operating system is your local computer?
What operating system is the remote computer?
What is the network between them? Internet? Company WAN?
Where is there a forwarder installed? local computer? remote computer?
Where is Splunk installed...? is that on the local computer?