Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I am new to Splunk and have a question

knsaunders
Loves-to-Learn
‎10-15-2020 08:39 AM

Greetings!  I am new to Splunk and I am trying to learn it so please take it easy on me 🙂

I setup an environment with a Kali VM(This is where Splunk Enterprise is setup), a Windows 10 Enterprise VM and a Windows Server 2019 VM.  I setup the Universal Forwarder on Windows 10 and when I go to Splunk I can see it listed as a "Host", I also setup the Kali VM to send its logs to Splunk and I see it listed as a "Host" as well.  However, the logs coming from the Windows Server 2019(setup as a Domain Controller) are not showing up as a "Host", it seems to be merged in with one of the other "Hosts". It is my understanding that any logs coming in from the Server should show up as a different Host so I should see the Kali VM as a Host, the Windows 10 VM as a Host and the same for Server 2019, however, as I explained, it is not showing up as a Host.

If anybody is willing to help, please let me know what information you would like me to share.

 

Thank you in advance.

 

Kirk

Labels (2)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-15-2020 09:06 AM

Hi @knsaunders ... Some more details needed please. You have installed a Splunk system and you installed universal forwarders on 2 other systems. 

Then, on the UF's, did you create inputs.conf and outputs.conf? 

are the UF's able to communicate with splunk indexer well? (ping and telnet works fine from UF to indexer?)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

knsaunders
Loves-to-Learn
‎10-15-2020 10:01 AM

Thank you for your response!

Yes, I installed Splunk Enterprise on my Kali VM and the Universal Forwarders on Windows 10 Enterprise and Windows Server 2019. I can ping with no problems between all of the machines. For the Kali VM logs, I just installed the "Splunk Add-on for Unix and Linux" app and the logs are being indexed with no problems.

I did edit the inputs.conf and outputs.conf, I can provide a copy of them:

Windows 10 VM

inputs.conf

[default]
host = Windows10Ent

[scripts://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor://C:\logs\remote_access.log]
sourcetype = remote_access_logs
index = remotelogs

[WinEventLog://Application]
index=remotelogs

[WinEventLog://Security]
index=remotelogs

[WinEventLog://System]
index=remotelogs

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.163.129:9997

[tcpout-server://192.168.163.129:9997]

 

Windows Server 2019

inputs.conf

[default]
host = KKMEDIA-SERVER2019

[scripts://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0

[monitor://C:\logs\remote_access.log]
sourcetype = remote_access_logs
index=remotelogs

[WinEventLog://Application]
index=remotelogs

[WinEventLog://Security]
index=remotelogs

[WinEventLog://System
index=remotelogs

 

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.163.129:9997

[tcpout-server://192.168.163.129:9997]

 

Logs are coming under 2 Hosts, the Kali Machine(where Splunk Ent. is installed) and from the Windows 10 VM and I see them listed as "Hosts".   When I did not see the Windows Server 2019 logs coming in, I found this command to check what IP addresses the logs were coming in from and sure enough one of them was the IP for my Windows Server 2019.  When I dug a little deeper and looked at the logs with a Source IP of the Windows Server, it showed 'host=kali". 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...