[Splunk]How to capture log using Splunk Universal Forwarder
You understand how to install and configure log forwarder to capture remote system logs
Why you need to know
Maintaining the health and security of the remote systems in a network is the primary task of a network admin. Setting up a remote log server will ensure that the logs remain uncompromised in the event of an intruder attack. So, as a network admin, you need to install a log forwarder in all the machines in the network, so that all the logs are forwarded and stored in the main log management server.
What is Splunk
Splunk is a tool for collecting, monitoring, and analyzing log files from servers, app or other sources.
There is a free training here.
We will demonstrate forward log from universal forwarder(Ubuntu) to Indexer (Domain Controller)
1:login Domain Controller
2:Install Splunk Enterprise on Domain Controller. You can see the details here.
3:login Splunk enterprise from the browser.
4:Go to Settings and Forwarding and receiving
5: Receive data and select “Add new”
6: Type 9997 in the black space and save it.
7:You can see the configuration done properly.
8:Set up Windows firewall rules. Go to Control panel> Windows firewall > Advanced Settings
9: Click Inbound rules and New Rules
10: Choose port > TCP, 9997(Specific local ports), Allow the connection
11: you can see the configuration set properly.
12: In order to monitor logs in the network, you need to install Universal log forwarder in it. Here, we are going to monitor Ubuntu machine logs.
Login Ubuntu machine.
Install Splunk Universal Forwarder to Linux (Ubuntu) machine
13: I download and place it Under Download. So you need to unzip the file
14: You need to navigate to bin directory.
15: Start forwarder with following command
16: set admin and password
17: You type the following command and Splunk username + password (you set in 16) #10.0.0.101 is where Index server ( Domain Controller IP address )
18: You can see the following message. It shows that you actually forward logs to the indexer.
19: You use add monitor command to decide which log can be monitored from Indexer. I choose /var/log/auth.log
20: Now time to see the log in Indexer page. You go to Search and click Data Summary.
21: You can see that the data from the forwarder can be seen in the console
You learned how to install and configure log forwarder to capture remote system logs.