I've setup Splunk enterprise as a trial in a test domain however im having issues importing logs from different remote sources. Firstly it says connect to an LDAP before importing remote data. Tried this however it wont connect to the domain, too many fields in here to fill in without giving examples. "Could not find userBaseDN on the LDAP server".
I tried installing the Splunk forwarder on a Windows based DC and set the Splunk server forwarding and receiving to receive from port 9997. Then tried importing the host again and keep getting errors about WMI classes from host blah blah.
Where is the documentation on setting up WMI for different remote sources? This piece should be easy. God help me when i try to add logs from networking devices. Real answers only please, no time wasters.
Cheers,
Normally, I've found using the command line (CLI) to set up being a deployment client is easier. It's a single command on your Splunk Universal Forwarder. https://docs.splunk.com/Documentation/Splunk/9.2.1/Updating/Configuredeploymentclients
Receiving is, as you noticed, on the receiving page. As long as that's configured (obligatory Splunk Docs link https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Enableareceiver) then it'll accept data from other systems.
Now keep in mind those two systems are separate, use different ports and are managed differently/separately, and in fact you can have either one without the other (though some combinations are a bit silly or pointless). And there's three concepts.
Receiving is set up on an indexer (technically, on any full Splunk instance), and enabling it enables that server to accept data (usually over port 9997) from any other Splunk instance, UF or HF (that's "Universal Forwarder" and "Heavy Forwarder", in case you didn't know).
Forwarding is the other side of Receiving - Forwarding is set up on the machines you want to have send their data to that receiving system. Enabling forwarding on a UF tells it to send all the data that it reads/whatever into that receiving system.
Deployment client/server is a *management* system. So you set up receiving and forwarding which is the plumbing of how the data moves around. Then the deployment server (which is, iirc, enabled by default on all full Splunk instances so does not need to be separately enabled) is listening on port 8089 by default. Once you have the forwarding and receiving in place, you tell your UF to be a deployment client of the deployment server via the docs I supplied above. After you've done that, when you go on the server to add data you'll have new options in the 'add data' section to have it get the data from the UF. Here's another docs link for that. https://docs.splunk.com/Documentation/Splunk/latest/Data/Forwarddata
Hope that helps! I know it's got some new concepts and ideas and it's not quite like many other systems. But it all generally does make sense once you get over the hump.
-Rich
In this case I suspect starting at the end and working backwards might be helpful.
WMI - While it's not terrible for some small testing, I'd suggest not using it because it's *far* more difficult to set up, manage, and deal with than using a Universal Forwarder on the actual endpoint. The UF installs easily, is tiny and efficient, and *also uninstalls easily and completely too*.
And don't take my word for it, Splunk also has docs for this. I know, it'll sound like they're "pushing the UF for some nefarious reason" but there's nothing nefarious about it, it's just better in nearly every way than using WMI. https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/ConsiderationsfordecidinghowtomonitorWindows...
Even neater is to spend the few minutes - it's not terribly hard! - to set up the forwarders to use your splunk as a deployment server. Then on your Splunk you *can* create remote inputs, but instead of being some unreliable "pull" over wmi, it'll be configs sent to the UF to tell it how to collect them locally and send in those logs.
And with those changes, all your complaints about WMI will disappear. I mean, you may have new complaints, but they won't be about WMI. 🙂
"Could not find userBaseDN on the LDAP server" is just generally just 'incorrect configuration'. Some time in ADSI Edit and the various AD tools may help here.
And network devices - it truly depends on your familiarity with syslog etc, but even having had been a Windows admin I found getting network device data into Splunk was at least as easy as getting Windows data in. You literally started with what I think is the hard part. 🙂 There's one or two extra moving parts, but they're all simple, isolated parts in the device->syslog->UF->Splunk path that are easily understood and worked with, vs. the "magic" and weird stuff that the Windows event logs can sometimes conjure up.
And a note - we're all 100% volunteers here. I'm sure the comment about "no time wasters" was just frustration speaking, and that's understandable. But it did come off as somewhat unkind and I'm sure you would have gotten something of an answer much quicker without that. No one here that I've ever seen wants to waste your time. We're all spending our free time trying to help people.
Hey man,
Thanks for the quick reply, I've installed the UF on the DC. So i need to change some configs on the DC then under the Splunk folder to point back to the Splunk server? What changes need to be made, i'm guessing its that notepad file under the splunk /etc/system/local. I see outputs file is set to use my Splunk Server and DeploymentClient is pointing to Splunk server IP also.
Service is running on DC and firewall rules checked also.
Do i need to configure something else on the Splunk server that isn't the receiver landing page? In the Choose logs from this host field(under remote sources), when i chuck the IP of the DC in there it just keeps saying unable to get WMI classes from host. Do i even need to fill out this page?
Under forwarder management it says " no clients or apps are currently available on this deployment server" Does that mean i need to install forwarder on the server too?
....and yes just some frustration there.
Cheers