splunk forwarder - blue cape security tutorial

benmstl · ‎07-27-2024

Hello Splunk community

in a nutshell my problem is i have set up splunk and a forwarder on a server, added input and output rules respectively. however I am receiving no data from the forwarders to my splunk dashboard.

I am very new to the info sec world and I am following a tutorial on bluecapesecurity.com for setting up a medium home lab. I have a windows 19 server and enterprise client installed. I would love any input on possible solutions. I am sure its going to be something simple or a single setting I missed.

the input.conf file is

# All Windows Event logs
[monitor://C:\Windows\System32\Winevt\Logs\*.evtx]
disabled = false
index=winevtx

the input.conf file is saved in the:

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local

I have set up inbound and outbound rules for letting anything from the splunk program through as well as opened the port 9997

benmstl · ‎07-27-2024

I figured it out. I was just missing the host and guest port numbers in the oracle VM, NAT Network "port forwarding" setting

PickleRick · ‎07-27-2024

1. It's not clearly written but you don't install Splunk server and a UF on the same machine.

But more importantly

2. For windows events you use the wineventlog type inputs. You don't monitor the evtx file.

splunk forwarder - blue cape security tutorial

intermediate forwarder

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation