Re: How do I forward to a vm and forward it out ag...

wuming79 · ‎07-22-2017

Hi,

how does one forward something like sysmon from 1 vm (guest1) to another vm (guest2) and then out to another pc (outside network)?

Do I install universal forwarder and sysmon on Guest 1, and use deployment server to send out to another PC outside network?

wuming79 · ‎07-24-2017

Is a vmware host-only guest able to forward out data to host??

wuming79 · ‎07-23-2017

I made a mistake installing sysmon on both my guest machines and forwarding sysmon log from guest 1 (Host-only) to guest2 (Host-only and natNetwork) and intermediately forward out to another host. I thought I was looking at the sysmon log from guest 1 but realized I'm not.

How should I set up the input.conf and output.conf on guest2??

adonio · ‎07-23-2017

not sure how Deployment Server comes to play here.
Deployment Server controls the forwarders (and other splunk instances if desired) configurations
i think the only thing you need is to verify there is a connection between all 3 machines guest1, guest2, and PC.
have a forwarder collect sysmon and forward it to guest2, have guest2 listen to TCP inputs and forward out using TCP to PC.
have the PC listen to traffic from guest2 on the desired port and you are all set
hope i understand the question and i am not missing something here.

wuming79 · ‎07-23-2017

Hi, thanks adonio, I realized I only need to setup forwarder twice on both guest machines. No need for deployment server.

How do I forward to a vm and forward it out again?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation