Splunk Enterprise

New Deployment of Splunk Enterprise and Configure Universal Forwarder

prateek123
New Member

The scenario is there are 100 endpoints sending logs to there internal inhouse syslog server. We need to deploy Splunk here. So that admin will be able to monitor logs on Splunk Enterprise. Make sure both the Universal Forwarder and Splunk Enterprise should be present in the same syslog server.

I am here for the steps I need to follow for this deployment. 
I am mentioning below the steps I am thinking to take place.

1.) First I am thinking to install Splunk Enterprise on the server and then to install universal forwarder.
2.) During the installation process of universal forwarder I choose local system rather then domain deployment, then in deployment server i have to leave it blank and on receiver server I have to put the syslog server's IP address and port number which I can be able to get by running command ipconfig on cmd.
3.) I need to download Microsoft add on Splunk base on the same server.
4.) Extract the Splunk base file and create a local folder in Splunkforwarder > etc and paste the input.conf file there and do the required changes.
5.) Then I will be able to get all the syslog server's log on Splunk Enterprise.

Please correct me, or add other steps which I need to follow.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no need to install Splunk Enterprise and Universal Forwarder on the same server.  It can be done, but requires special effort with little gain.  Splunk Enterprise is capable of everything the UF does.

1) Put the UF on the syslog server and SE on separate servers.

2) The receiver address is that of Splunk.  It's the server that will receive data from the UF.

3) Which Microsoft add-on?  There are several and most are not needed.

4) Configure syslog to save events to disk files.  Configure the UF (in inputs.conf) to monitor those disk files.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...