I am looking to play with some backdoors and exploits for research purposes, so I have a Metasploitable VM set up. I've installed the Splunk Forwarder on that VM and have confirmed that it is running. I have set it up to index on my host machine (Windows 10).
I know everything is pointing to the right place because when I disable my Windows Firewall completely (yikes), I can see all the logs I generated from the VM, even from events that happened before I disabled the firewall. For instance, I sent many whoami requests through a backdoor in the VM and Splunk Search had no logs documenting it, however when I turned off my firewall (on host machine), all the logs from the last 15 minutes of activity were suddenly there.
I've tried fixing this problem for awhile and have tried opening, inbound and outbound, every port Splunk would feasibly use. They were open on Metasploitable's UFW as well. (ie 8000, 8089, 9997, 389, 3268, plus a custom port I used instead of 9997).
Not sure what other information I might need to provide, but if someone would try and lend me a hand I would really appreciate it.
It looks like there's data coming from the /bin/metrics.log, sent on 42144 and coming in on the forwarding port I used instead of 9997, I opened both of those on the VM as well as the host machine but I'm still not seeing any real-time logs when I query from the VM.