Hi, I am struggling to configure Splunk forwarder to get data into splunk. I am trying to get the data ( auth.log ) sent across from a Kali linux operating system. When I configured it in kali used the below syntax ( Ip address is my KALI ip address when I ifconfig. I followed a guide online where it said to put port 11000. ./splunk add forward-server 192.168.253.XX:11000 ( note XX is not correct.. but did not want to disclose my IP on here). I then did below - ./splunk add monitor /var/log/access.log Then I restarted splunk. I then went into Splunk enterprize .. settings and then Forwarder management... I can see below - The IP address is not the same as the Kali linux VM IP.. is that normal? The first three octets are the same.. but not the fourth ( I assume it is because it is a /24 subnet). I then go into Search and reporting.. but there is no data summary or any data that come across... ?? what I am doing wrong... User-PC Apps None Server Classes None 72660893-7D38-4486-A625-A57C08C5592A User-PC 192.168.253.1 Delete Record windows-x64 0 deployed 8 minutes ago Essentially - I am playing around with a few VM's Ubunto, Windows 10, Kali Linux and trying to get the data from those VM's to splunk enterprise and play around with setting up some alerts and generate some reports. Maybe the Universal forwarder is not the best idea for what I am trying to do? I am very new at this... so any help would be great. Thanks in advance for any help
... View more