Getting Data In

How to Set up Splunk Enterprise- Forwarders and Receivers?

I am trying to understand how to set up Splunk for the first time. I have several Server VMs (exchange, DC, SCCM, Splunk) and about 70 workstations.

I want to use Splunk to audit my workstations' event logs. This is a high level overview on how I understand that to occur:

  1. Install Splunk Enterprise on my Splunk Server (set up permissions as a domain user, etc)
  2. Configure Splunk Server as a Receiver
  3. Install a Universal Forwarder on every workstation and all of the other servers.
  4. Configure each Universal Forwarder- define inputs on the universal forwarder with configuration files

Am I understanding this correctly?

0 Karma

Legend

Hi @danielleedgington92,
in addition to all the hints of @richgalloway , I suggest to create a Technical Add-on (called e.f. TA_Forwarders): it's an app containing only two files:

  • deploymentclient.conf
  • outputs.conf

The first one contains the address of the Deployment Server (remember that if you have to manage more than 50 target servers you must have a dedicated server for this role!).
The second one contains the addresses of the indexers.

In this way you can manage all the configurations by Deployment Server.
The problem is how to rich the Deployment Server for the first time: for this reason, I usually copy this app (TA_Forwarders) on each target server (and I restart Splunk on UF), so it's connected with the Deployment Server and I can deploy to all the UFs the TAs I need.

Ciao.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

You have the general idea. Allow me to add some tips.

1) Run Splunk Enterprise on a Linux server if you can. You'll be much happier if you do.
2) If you run Splunk on Windows, don't use a domain account.
3) The Universal Forwarders should get their configuration files from a Splunk Deployment Server (DS). Using a DS means you don't need to sign in to each server/workstation to update the UF configs.
4) You don't say how many users will be using Splunk or what hardware Splunk will be on, but I expect you will quickly outgrow a standalone Splunk server. If this is not just a sandbox, consider setting up a distributed environment with separate search head and indexer servers.

---
If this reply helps you, an upvote would be appreciated.