[Splunk]How to capture log using Splunk Universal Forwarder

You understand how to install and configure log forwarder to capture remote system logs

Why you need to know

Maintaining the health and security of the remote systems in a network is the primary task of a network admin. Setting up a remote log server will ensure that the logs remain uncompromised in the event of an intruder attack. So, as a network admin, you need to install a log forwarder in all the machines in the network, so that all the logs are forwarded and stored in the main log management server.

What is Splunk

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, app or other sources.

There is a free training here.


We will demonstrate forward log from universal forwarder(Ubuntu) to Indexer (Domain Controller)

Network Topology


1:login Domain Controller

2:Install Splunk Enterprise on Domain Controller. You can see the details here.


3:login Splunk enterprise from the browser.

4:Go to Settings and Forwarding and receiving

5: Receive data and select “Add new”

6: Type 9997 in the black space and save it.

7:You can see the configuration done properly.

8:Set up Windows firewall rules. Go to Control panel> Windows firewall > Advanced Settings

9: Click Inbound rules and New Rules

10: Choose port > TCP, 9997(Specific local ports), Allow the connection

11: you can see the configuration set properly.

12: In order to monitor logs in the network, you need to install Universal log forwarder in it. Here, we are going to monitor Ubuntu machine logs.

Login Ubuntu machine.

Install Splunk Universal Forwarder to Linux (Ubuntu) machine

13: I download and place it Under Download. So you need to unzip the file

14: You need to navigate to bin directory.

15: Start forwarder with following command

16: set admin and password

17: You type the following command and Splunk username + password (you set in 16) # is where Index server ( Domain Controller IP address )

18: You can see the following message. It shows that you actually forward logs to the indexer.

19: You use add monitor command to decide which log can be monitored from Indexer. I choose /var/log/auth.log

20: Now time to see the log in Indexer page. You go to Search and click Data Summary.

21: You can see that the data from the forwarder can be seen in the console


You learned how to install and configure log forwarder to capture remote system logs.




Security Analyst(Full-time), Cloud security engineer(internship). https://www.linkedin.com/in/takahiro-oda-881423197/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Keycloak for beginners: The installation

Is There Any API for getting Data From Oneworld Alliance?

Small changes can make a big difference #leadership #innovation #pe #vc https://t.co/qaMnGzMMom

Setting up Android Package Kit [.apk] generator using Jenkins job [Gradle|Git]

Power Charge Your Development in PHPStorm with Live Templates

ShareChat Interview Experience-2022(SDE-1)

Oracle EBS Premier Support for 12.2 Extended Till At Least 2032

PHPOps Looking For Help

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Takahiro Oda

Takahiro Oda

Security Analyst(Full-time), Cloud security engineer(internship). https://www.linkedin.com/in/takahiro-oda-881423197/

More from Medium

Active Directory Security - Reconnaissance

HTB —Sense Writeup

Let’s Defend: SOC101 — Phishing Mail Detected alert Walkthrough

A bad Combination: Unprivileged Remote Code Execution and privileged File Write