I'm trying to study the activities of some Malware thus I created the following environment using virtualbox. But I could not get the forwarder to work correctly. I could only get 1 event when I reboot guest 2. Did I miss out some other configurations?
Disable VirtualBox Host-Only Network so that Guest and Host could not ping each other but Guest can guest to guest.
IE8WIN7, SP1, IE Version 8.0.7601.17514
Network: Nat Network
Installed Splunk Enterprise
Open port 9998 to receive events (set up at http://localhost:8000/en-US/manager/search/data/inputs/tcp/cooked)
Set Firewall to allow inbound and outbound 10.0.2.4 and port 9998.
IE8WIN7, SP1, IE Version 8.0.7601.17514
Installed Splunk Universal Forwarder
Install sysmon via CLI "sysmon -i -n -accepteula"
Added the following into universal forwarder input.conf
disabled = false
renderXml = true"
Set Firewall to allow inbound and outbound 10.0.2.15 and port 9998.
I only got 1 event after Guest 2 reboots. After that, no matter what programs I open in Guest 2, there is no events seens from Guest 1.
Not trying to revive a dead post, however if others are facing the same problem. Check the name of the .conf files created. You listed your files as input.conf and output.conf. The correct file name is input*s.conf and outputs*.conf.
Fix the file name and you probably would have your problem solved.
,Don't want to revive a dead post, however you may have had issues with the names of your .conf files. You listed them as input.conf and output.conf NOT input*s.conf and outputs*.conf
Just for record since I didn't find any answers on this subject yet.
The reason why splunk list forward-server was because my cmd was not executed as administration.
When I executed as administrated, I could see my IP and port configured and active.
Now the issue again...so list forward-server listed my ip port as configured and active and I had allow the ports to communicate between the 2 guest, why didn't the data came in?
I tried the cmd "splunk list forward-server" in SplunkUniversalForwarder/bin to check the connection, after entering my userId and password, it just came back to DOS and shows nothing. I have another VMWare using vmnet8 adapter and I was able to forward my sysmon out. The cmd "splunk list forward-server" was able to see active connections. What could possibility be the issue? Virtualbox incompatible issue??
I saw the following msg in splunkd.log on guest1.
ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-Sysmon/Operational'
Does this mean guest2 has forworded something over to guest1 but still can't find event log?
Do I just need to set allow TCP port 9997 (local and remote) in outbound rule in guest 1 and set allow TCP port 9997 (local and remote) in outbound rule in guest 2?
Do I actually need to set allow IP 10.0.2.4 (local and remote) in outbound rule in Guest 1 and set allow IP 10.0.2.15 (local and remote) in outbound rule in Guest 2?
I have uninstall and reinstall universal forwarder without indicating deployment server and receiving information.
I then tried to follow the instructions at https://answers.splunk.com/answers/126122/no-available-server-list-on-opt-splunkforwarder-bin-splunk...
I went to check my Guest 1, and still nothing from Guest B... I reboot Guest B and it seems that I have also lost the initial event that I saw previously (in first post).
I went to check C:\Program Files\SplunkUniversalForwarder\etc\system\local
my input.conf and output.conf are as below:
[default] host = IE8Win7 [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = true
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 10.0.2.4:9997
My guest 1 was configured to listen on port 9997. Do I need to do anything on "Configure Forwarding"?
My guest 2 universal forwarder output.conf default with the following:
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 10.0.2.4:9997 [tcpout-server://10.0.2.4:9997]
I just appended the following below:
Results: No results.
What you need to do is enable receiving on your guest 1. For login to Guest 1 splunk web ui, go to Settings --> Forwarding And Receiving and configure receiving.
On Guest 2 where you have installed universal forwarder, add outputs.conf entry to enable UF to forward data to Splunk Enterprise server.
[tcpout:eis_clustered_indexers] server = ip_address:port