Greetings! I am new to Splunk and I am trying to learn it so please take it easy on me 🙂
I setup an environment with a Kali VM(This is where Splunk Enterprise is setup), a Windows 10 Enterprise VM and a Windows Server 2019 VM. I setup the Universal Forwarder on Windows 10 and when I go to Splunk I can see it listed as a "Host", I also setup the Kali VM to send its logs to Splunk and I see it listed as a "Host" as well. However, the logs coming from the Windows Server 2019(setup as a Domain Controller) are not showing up as a "Host", it seems to be merged in with one of the other "Hosts". It is my understanding that any logs coming in from the Server should show up as a different Host so I should see the Kali VM as a Host, the Windows 10 VM as a Host and the same for Server 2019, however, as I explained, it is not showing up as a Host.
If anybody is willing to help, please let me know what information you would like me to share.
Thank you in advance.
Kirk
Hi @knsaunders ... Some more details needed please. You have installed a Splunk system and you installed universal forwarders on 2 other systems.
Then, on the UF's, did you create inputs.conf and outputs.conf?
are the UF's able to communicate with splunk indexer well? (ping and telnet works fine from UF to indexer?)
Thank you for your response!
Yes, I installed Splunk Enterprise on my Kali VM and the Universal Forwarders on Windows 10 Enterprise and Windows Server 2019. I can ping with no problems between all of the machines. For the Kali VM logs, I just installed the "Splunk Add-on for Unix and Linux" app and the logs are being indexed with no problems.
I did edit the inputs.conf and outputs.conf, I can provide a copy of them:
Windows 10 VM
inputs.conf
[default]
host = Windows10Ent
[scripts://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[monitor://C:\logs\remote_access.log]
sourcetype = remote_access_logs
index = remotelogs
[WinEventLog://Application]
index=remotelogs
[WinEventLog://Security]
index=remotelogs
[WinEventLog://System]
index=remotelogs
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.163.129:9997
[tcpout-server://192.168.163.129:9997]
Windows Server 2019
inputs.conf
[default]
host = KKMEDIA-SERVER2019
[scripts://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0
[monitor://C:\logs\remote_access.log]
sourcetype = remote_access_logs
index=remotelogs
[WinEventLog://Application]
index=remotelogs
[WinEventLog://Security]
index=remotelogs
[WinEventLog://System
index=remotelogs
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.163.129:9997
[tcpout-server://192.168.163.129:9997]
Logs are coming under 2 Hosts, the Kali Machine(where Splunk Ent. is installed) and from the Windows 10 VM and I see them listed as "Hosts". When I did not see the Windows Server 2019 logs coming in, I found this command to check what IP addresses the logs were coming in from and sure enough one of them was the IP for my Windows Server 2019. When I dug a little deeper and looked at the logs with a Source IP of the Windows Server, it showed 'host=kali".