Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Set up Splunk Enterprise- Forwarders and Receivers?

danielleedgingt
Engager
‎03-27-2020 06:36 AM

I am trying to understand how to set up Splunk for the first time. I have several Server VMs (exchange, DC, SCCM, Splunk) and about 70 workstations.

I want to use Splunk to audit my workstations' event logs. This is a high level overview on how I understand that to occur:

  1. Install Splunk Enterprise on my Splunk Server (set up permissions as a domain user, etc)
  2. Configure Splunk Server as a Receiver
  3. Install a Universal Forwarder on every workstation and all of the other servers.
  4. Configure each Universal Forwarder- define inputs on the universal forwarder with configuration files

Am I understanding this correctly?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-27-2020 08:34 AM

Hi @danielleedgington92,
in addition to all the hints of @richgalloway , I suggest to create a Technical Add-on (called e.f. TA_Forwarders): it's an app containing only two files:

  • deploymentclient.conf
  • outputs.conf

The first one contains the address of the Deployment Server (remember that if you have to manage more than 50 target servers you must have a dedicated server for this role!).
The second one contains the addresses of the indexers.

In this way you can manage all the configurations by Deployment Server.
The problem is how to rich the Deployment Server for the first time: for this reason, I usually copy this app (TA_Forwarders) on each target server (and I restart Splunk on UF), so it's connected with the Deployment Server and I can deploy to all the UFs the TAs I need.

Ciao.
Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-27-2020 08:26 AM

You have the general idea. Allow me to add some tips.

1) Run Splunk Enterprise on a Linux server if you can. You'll be much happier if you do.
2) If you run Splunk on Windows, don't use a domain account.
3) The Universal Forwarders should get their configuration files from a Splunk Deployment Server (DS). Using a DS means you don't need to sign in to each server/workstation to update the UF configs.
4) You don't say how many users will be using Splunk or what hardware Splunk will be on, but I expect you will quickly outgrow a standalone Splunk server. If this is not just a sandbox, consider setting up a distributed environment with separate search head and indexer servers.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...