[Splunk]How to capture log using Splunk Universal Forwarder

Objectives

You understand how to install and configure log forwarder to capture remote system logs

Why you need to know

Maintaining the health and security of the remote systems in a network is the primary task of a network admin. Setting up a remote log server will ensure that the logs remain uncompromised in the event of an intruder attack. So, as a network admin, you need to install a log forwarder in all the machines in the network, so that all the logs are forwarded and stored in the main log management server.

What is Splunk

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, app or other sources.

There is a free training here.

https://www.splunk.com/en_us/training/videos/all-videos.html

We will demonstrate forward log from universal forwarder(Ubuntu) to Indexer (Domain Controller)

Network Topology

Demo

1:login Domain Controller

2:Install Splunk Enterprise on Domain Controller. You can see the details here.

https://www.splunk.com/en_us/training/videos/installing-splunk-enterprise-on-windows.html

3:login Splunk enterprise from the browser.

4:Go to Settings and Forwarding and receiving

5: Receive data and select “Add new”

6: Type 9997 in the black space and save it.

7:You can see the configuration done properly.

8:Set up Windows firewall rules. Go to Control panel> Windows firewall > Advanced Settings

9: Click Inbound rules and New Rules

10: Choose port > TCP, 9997(Specific local ports), Allow the connection

11: you can see the configuration set properly.

12: In order to monitor logs in the network, you need to install Universal log forwarder in it. Here, we are going to monitor Ubuntu machine logs.

Login Ubuntu machine.

Install Splunk Universal Forwarder to Linux (Ubuntu) machine

13: I download and place it Under Download. So you need to unzip the file

14: You need to navigate to bin directory.

15: Start forwarder with following command

16: set admin and password

17: You type the following command and Splunk username + password (you set in 16) #10.0.0.101 is where Index server ( Domain Controller IP address )

18: You can see the following message. It shows that you actually forward logs to the indexer.

19: You use add monitor command to decide which log can be monitored from Indexer. I choose /var/log/auth.log

20: Now time to see the log in Indexer page. You go to Search and click Data Summary.

21: You can see that the data from the forwarder can be seen in the console

Conclusion

You learned how to install and configure log forwarder to capture remote system logs.