Getting Data In

Help - Universal Forwarder / Configuration / Alerts /

Tonyrakus
Explorer

Hi, I am struggling to configure Splunk forwarder to get data into splunk. I am trying to get the data ( auth.log ) sent across from a Kali linux operating system.  When I configured it in kali used the below syntax ( Ip address is my KALI ip address when I ifconfig. I followed a guide online where it said to put port 11000.

./splunk add forward-server 192.168.253.XX:11000   ( note XX is not correct.. but did not want to disclose my IP on here).

I then did below -

./splunk add monitor /var/log/access.log

Then I restarted splunk.

I then went into Splunk enterprize .. settings and then Forwarder management...

I can see below - The IP address is not the same as the Kali linux VM IP.. is that normal? The first three octets are the same.. but not the fourth ( I assume it is because it is a /24 subnet).

I then go into Search and reporting.. but there is no data summary or any data that come across... ?? what I am doing wrong...

User-PC Apps None Server Classes None72660893-7D38-4486-A625-A57C08C5592AUser-PC192.168.253.1Delete Recordwindows-x64
 
 
0 deployed
 
 
8 minutes ago

 

 

Essentially - I am playing around with a few VM's Ubunto, Windows 10, Kali Linux and trying to get the data from those VM's to splunk enterprise and play around with setting up some alerts and generate some reports.

Maybe the Universal forwarder is not the best idea for what I am trying to do?

I am very new at this... so any help would be great.

Thanks in advance for any help

Labels (1)
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Tonyrakus,

if you wanto to forward logs to another Splunk instance, you don't need of UF on the same machine of Splunk Enterprise because you can forward logs from it: remember that a Splunk Enterprise Instance has all the Splunk Features, it's the Universal Forwarder that hal limited features!

Aniway, to ingest local logs, see in [Settings -- data Inputs] and choose the way to ingest your logs. e.g. if you have logs in files i a folder, you can choose "Files & Directories".

Probably it could be useful to read https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/WhatSplunkcanmonitor 

Or search a video tutorial on YouTube or Google.

Ciao.

Giuseppe

P.S.: at the end, remember to accept the answer for the other people of Community.

Karma Points are appreciated 😉

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Tonyrakus,

did you enabled in your Splunk Enterprise Server the receiving on the same port you used on Forwarders?

Receiving isn't enabled by default.

As you can read at https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents the steps to follow are these:

  • enable receiving on Splunk Enterprise [Settings -- Forwarding and Receiving -- Configure Receiving] on the same port used by UFs (default 9997 but it must be enabled);
  • install Universal Forwarder on the target servers;
  • configure outputs, you have two ways:
    • the command you use,
    • edit the output.conf file (I usually prefer this);
  • if you have a Deployment Server, configure deploymentclient.conf:
    • the command splunk "set deploy-poll IP_address/hostname lt;management_port"
    • edit the deploymentclient.conf file (I usually prefer this);
  • restart Splunk on UF

If you have a Deployment Server, the best approach is to create a Technical Add-On (called e.g. TA_Forwarders) containing the two files (output.conf and deploymentclient.conf).

About the question related to the IP address, are you sure that the displayed Ip isn't correct, because Splunk reads the IP on the UF and send it to the Indexer.

Ciao.

Giuseppe

Tonyrakus
Explorer

Hi GcuselloThanks for your help. I installed Splunk and universal forwarder in Kali Linux.. Then I used the below command to set up the forwarder and set up the forwarder to the below IP address and port.
The IP address is the one in my Kali Linux system when I go ifconfig....
./splunk add forward-server 192.168.253.130:9997 -auth Tonyrakus:WhistlXXXX?
I go into Splunk enterprize. Settings - forwarder management.... and the following screen comes up below -

I also went into Settings - Forwarding and receivig and confugure receiving .. and made receiving port is 9997..

So given this is it all configured right?

I have no data in splunk though.... so now I need to figure out how to forward it.. I am wanting to forward log files...

Any idea how I should do that?

I appreciate your help.

Tonyrakus_0-1597909833544.png

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Tonyrakus,

let me understand:

  • you have a machine (with ip  192.168.253.130) where Splunk Enterprise is installed ;
  • then you have another machine (with IP 192.168.253.1) where Splunk Universal Forwarder is installed;
  • you haven't firewall betweeen them,
  • you haven't personal firewalls or iptables on both the machines;
  • you enabled receiving on port 9997 on Splunk Enterprise;
  • if you run "telnet 192.168.253.130 9997" from the UF it can access the other machine.

Is all above correct?

If not check the items I listed.

If yes, run this easy search:

index=_internal

on Splunk Enterprise and check if you have one or two hosts: _internal is the index where are stored the Splunk logs, if you have two hosts, one is the Splunk Enterprise server and one is the Universal Forwarder.

If one there's a problem, if two it's correct and you can continue.

if you see a server in Forwarder management it seems only that you runned the command to configure the deployment server ( "set deploy-poll IP_address/hostname lt;management_port"), not to configure the Indexer (./splunk add forward-server 192.168.253.130:9997 -auth Tonyrakus:WhistlXXXX).

Anyway, you should have results to the above search.

Ciao.

Giuseppe

0 Karma

Tonyrakus
Explorer

Hi Giuseppe

Thank you.

My KALI LINUX VM is 192.168.253.130, and yes Splunk Enterprize is installed there. ( VM is set to NAT)

I also installed Splunk universal forwarder on the same machine .

I tried to then set up the forwarder to forward traffic from Kali linux to go into splunk enterprize.... but for some reason it is showing in Splunk enterprize that a forwarder is set up from from IP 192.168.253.1 ... which I think is another VM.. ( on my main OS - windows I went into command prompt and did ipconfig.. and results are in the screen shot below).

./splunk add forward-server 192.168.253.130:9997 -auth Tonyrakus:WhistlXX82?

Tonyrakus_0-1597915847675.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Tonyrakus,

the problem is that you cannot (and don't need to) install Splunk Enterprise and Universal Forwarder on the same machine!

UF must be on a different server.

If you need to take logs from the first machine you can take them without installing UF on the same machine and it's easier thna UF because you can use the Web GUI.

in addition, you don't need ro run the above command if you have all in the sameserver.

Ciao.

Giuseppe

0 Karma

Tonyrakus
Explorer

Thanks very much Giuseppe.  Your very helpful:)

I have stopped universal forwarder running on Kali now.. I have not uninstalled it as yet as may end up forwarding from it to another splunk enterprise at some point.

 

Last question for tonight I promise - If I now want to upload log files from Kali to splunk enterprize.... the best way of doing that is how? clicking on one of the boxes in the screen shot and going from there?

In the splunk training I did it only showed how to upload data by uploading files of logs..... I guess I could send some log files from Kali to a file and then upload... but is there another real time way so I can keep the log files uploading continuously. ?

Tonyrakus_0-1597920077173.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Tonyrakus,

if you wanto to forward logs to another Splunk instance, you don't need of UF on the same machine of Splunk Enterprise because you can forward logs from it: remember that a Splunk Enterprise Instance has all the Splunk Features, it's the Universal Forwarder that hal limited features!

Aniway, to ingest local logs, see in [Settings -- data Inputs] and choose the way to ingest your logs. e.g. if you have logs in files i a folder, you can choose "Files & Directories".

Probably it could be useful to read https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/WhatSplunkcanmonitor 

Or search a video tutorial on YouTube or Google.

Ciao.

Giuseppe

P.S.: at the end, remember to accept the answer for the other people of Community.

Karma Points are appreciated 😉

Tonyrakus
Explorer

Thanks very much again .

I will accept for people in the community.

I have managed to get some folders / files etc uploaded now.. I am trying to search specific files from the directories in ( search and reports) but at this stage my key words must not be right as they are not bringing up any results.

I will watch the training you suggested ( documentation) and some utube clips etc.. and will be well on my way.

Thanks again .

 

Tonyrakus_0-1597928851839.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @Tonyrakus,

happy splunkng!

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...