This should help, these are the steps I used to do exactly what your having a problem with.
When adding the Windows Machine you will likely get an “RPC Server” error message. This is because the Windows Firewall is blocking the RPC input and output. What we want to do to make the splunk server talk to the box is:
Go to the remote machines firewall and add an exemption for TCP Port 135 (Inbound RPC)
While adding this port click the scope button and go to “custom”, add the Splunk server IP
Click ok and then add a port
This time add an exemption for port 5000, name it RPC Dynamic
While adding this port click the scope button and go to “custom”, add the Splunk server IP
Click ok and then exit Windows firewall
Next start regedit
NOTE: Make a backup of your registry!!!!
With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Key Data Type.
NOTE: The key "Internet" does not exist nor do any of these strings. You're creating them!
Ports REG_MULTI_SZ
Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by 5000.
PortsInternetAvailable REG_SZ Y or N (not case-sensitive)
If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.
UseInternetPorts REG_SZ ) Y or N (not case-sensitive
Specifies the system default policy. If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. If N, the processes using the default will be assigned ports from the set of intranet-only ports.
The end result will have the new key looking like:
Ports: REG_MULTI_SZ: 5000
PortsInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y
Finally, Following these changes to the registry the computer will require rebooting.
Going back to the Splunk web server where we left off on step two, clicking the “Find Logs” button should return with the ports for addition below in “Additional Logs”
The results of this is having increased security by only allowing these open ports to be connected to by your Splunk server and having only one open Dynamic RPC port instead of a range.
... View more