Deployment Architecture
Highlighted

How can I monitor logs from a WAN?

Engager

I want to monitor logs on a remote computer (on the wan)

I would like to forward the logs in order to watch them on my local computer.

How can I do?

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

SplunkTrust
SplunkTrust

what kind of logs are you interested in?
you can install a forwarder on your target computer and configure its inputs to capture relevant data.
configure the forwarder to send data to splunk
read here for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/WhatSplunkcanmonitor
hope it helps

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

Contributor

Not enough information to proceed.

What operating system is your local computer?
What operating system is the remote computer?
What is the network between them? Internet? Company WAN?

Where is there a forwarder installed? local computer? remote computer?

Where is Splunk installed...? is that on the local computer?

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

Engager

-My local computer is a Windows 10 Pro x64,
-The remote computer is the same operating system as the local computer,
-The network between them is the internet.
- I installed the universal forwarder on the remote computer.
- I have the Splunk Entreprise on the local computer

All I have found is the command on the CLI which is on the powershell: .\splunk add forward-server with IP and the port.

I just don't understand how it works unfortunately

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

Engager

Here is my project:

From one server, I would like to follow logs, watching for "error" keyword. On computers that are over the internet.

I know how to monitor folders, I know how too look for keywords on the logs, but only on my local computer, when I try to forward logs to my local computers, with the CLI (splunk add search-server ...) I get the "error occured: error while sending public key to search peer: Connection closed by peer)

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

Splunk Employee
Splunk Employee

This comes down to networking.

In order for a remote computer running a forwarder (or doing anything else for that matter) to reach your local LAN ( I will assume the local computer is on your home network for the sake of this example) you should look into something like dyndns, which will allow your ever changing home internet IP to be reachable.

Once you have done that, you will need to set port forwarding rules in your home router/firewall, to allow traffic to enter your network over 9997 (or whatever port you wish to serve), and you will want to ensure you use SSL on that forwarder connection for secure data transfer.

ie. the WAN UF will send traffic to jbosano.dyndns.org:9997, which will hit your home router, then router will turnaround and forward that traffic to 192.168.1.10 (your local computer address, just an example).

I run a very similar setup in my home lab and as long as you get the networking right, this will work nicely.

Once the networking is complete, you just need to ensure the forwarder is configured correctly.

http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Aboutsecuringdatafromforwarders

Highlighted

Re: How can I monitor logs from a WAN?

Engager

Thank you for your answer, I thought about the same solution as the one you brought me.

But actually I think there is a splunk server where we can forward logs into, and analyse it directly from one computer. For configuring port forwarding rules on each routeur is too complicate.

Have you heard about how to forward logs on splunk server, in a unique admin account?

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

Splunk Employee
Splunk Employee

I'm not sure what you mean???

The forwarder on the remote computer(s), will forward the logs to the Splunk server you are running at home. Then you can search all the remote computer logs on the one server you are running at home.

The only router you need to configure is the one sitting in front of your splunk server.

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

Engager

Okay thank you I got it. Can I know exactly about "forward-server", it is the remote computer that hold the logs? and search-server, is it the home server that will receive every logs?

0 Karma
Highlighted

Re: How can I monitor logs from a WAN?

Splunk Employee
Splunk Employee

Protip: ./splunk help command is a great resource!

Many of us have opined that the term forward-server can be misleading, but as the help command shows, it will display the machines that the forwarder is sending data to. In your case, your home computer should show up as an active forward.

[splunker@n00bserver bin]$ ./splunk help list forward-server

list servers that this server forwards data to

[splunker@n00bserver bin]$ ./splunk list forward-server
Active forwards:
    None
Configured but inactive forwards:
    None
[splunker@n00bserver bin]$ 
0 Karma