Part 2 – Universal Forwarders
Now we have a working Splunk install it’s time to get some data in. In this part, I will configure a Universal Forwarder to forward logs to the indexer then confirm that the Universal Forwarder is configured correctly by searching Splunk’s internal index for our new forwarder.
The universal forwarder is a package deployed to hosts in order to collect logs locally. Universal forwarders can also act as an aggregation point for logging methods such as syslog and remote collection.
The Host
This article will not cover the installation of CentOS or the configuration steps required to get up to the point of installation. If you need to be walked through setting up a new host, see part 1 of this series. The next step assumes that you already have a CentOS host stood up and running.
Pre-requisites
– A working CentOS host (separate to the spunk lab)
– The universal forwarder RPM
Installation
This section will cover deploying the universal forwarder to the collection host. Before following these steps you will need to have built the collector (CentOS). Download the Universal Forwarder package from Splunk and move it on to the collector host (either wget from the host or transfer via sftp).
Lets install the UF package:
rpm -i splunkforwarder-6.3.2-**-linux-2.6-x86_64.rpm
Now enable boot start & accept the license terms:
./opt/splunkforwarder/bin/splunk enable boot-start --accept-license
At this point, connect to the splunklab and allow port 9997/TCP inbound:
firewall-cmd --add-port=9997/tcp --permanent
Configuration
Once the UF (universal forwarder is installed, configuration can begin. First, we need to add the host details of the indexer that the UF will forward to:
./opt/splunkforwarder/bin/splunk add forward-server <host>:9997 -auth admin:changeme
Note: the default credentials for a UF are “admin:changeme”, these can be changed but we will not go in to this right now. Make sure you replace above with the IP address of your splunklab VM.
Start the UF:
/opt/splunkforwarder/bin/splunk start
At this point it is worth restarting Splunk on the splunklab VM, this can be done via the webGUI or by running the following command on the splunklab VM:
./opt/splunk/bin/splunk restart
Checking everything is working
Now it is time to check if everything has gone to plan and the UF is installed/configured correctly. Log in to the splunklab webGUI and perform the following search:
index="_internal" host="collector"
Make sure you replace “collector” with the hostname of your collector. If you do not have the hostname to hand, simply search the _internal index then select the hosts field, there should be two if all went well (splunklab + collector).
Next up, Building a Splunk lab [Part 3]
Chimera | Security 