I am setting up a test rig, and not receiving any logs from another Linux box (please see rig details below).
Splunk Server - Fedora 15 (Latest version of Splunk)
Security Onion - Xubuntu (Universal Forwarder installed - not reporting)
Windows Desktop - XP Pro installed (Universal Forwarder installed and reporting)
I have installed the universal forwarder on the security onion machine but only gave the option to set the management port, not sure if anything else needs setting up. I am new to Linux so I am sorry if this is a newbie question.
Go to the forwarder and cd to $SPLUNK_HOME/bin
Run this command: . ./setSplunkENV
That sets up the environment and puts Splunk in your path.
Next, run this command: splunk add forward-server YOURSPLUNKSERVER:9997
Restart Splunk with this command: splunk restart
On the Splunk server login to the UI and go to manager/forwarding and receiving/configure receiving
Add a new receiver and Listen on port 9997
Hopefully that should cover it.
I made the assumption that he already had added something to the inputs.conf file on the forwarder. If not, simply download the *Nix App to the Splunk Server, configure everything and save it.
Now, on the Splunk server, go the $SPLUNK_HOME/etc/apps
From there, run: tar -czvf unix.tgz unix
Copy this file over to the forwarder and place into the $SPLUNKHOME/etc/apps directory.
From there run: tar -zxvf ./unix.tgz
Then restart the forwarder with $SPLUNK_HOME/bin/splunk restart
All would be easier with a deployment server configured, but that's another thread.
Thank you for all of your help. When trying to run the command below I have replaced the "YOURSPLUNKSERVER" with the IP address of the Splunk server.
splunk add forward-server YOURSPLUNKSERVER:9997
However when runing the command I get either an error for permission, which there is no su password set on the security onion images. I then tried running the SUDO command and then get prompted to enter a Splunk username which I enter the admin username and password used on the web frontend which failed and then tried credentials for the account logged on to the Fedora machine which failed. Not sure which other credentials I can try?
The password for admin is always ‘changeme’ regardless the real password in indexer is. This means people can easily do an attack against a real splunk indexer with lots of junk data. Of course, such person needs a machine access insider such company.