3.5 Installing a Universal Forwarder
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> In this Module 3 video,
00:00
we'll be installing a universal forwarder.
00:00
As a review, a universal forwarder gets installed on
00:00
the machine you want to collect data
00:00
from and forwards it onto,
00:00
be indexed and used.
00:00
There are other ways to get data into Splunk,
00:00
but this is a popular and useful method.
00:00
At this point, there are few checks you should
00:00
do to make sure when you install the universal forwarder,
00:00
you're able to send the data you want onward.
00:00
You'll need to make sure there's a clear path of
00:00
communication between where you install
00:00
the universal forwarder and your Splunk server
00:00
and other splint components
00:00
when you decide to break it out and add more pieces.
00:00
Splunk by default also uses
00:00
several ports that will need to
00:00
be open and allowed for Splunk to work.
00:00
You also want to make sure that
00:00
the account you're using to set up Splunk
00:00
has the necessary permissions to
00:00
access the data you want to forward.
00:00
In this simple environment,
00:00
you'll need ports 9997 and
00:00
8089 unless you'd like to
00:00
change these from the default options.
00:00
This diagram from splunk.com
00:00
is helpful at visualizing the communication path.
00:00
In this video, we're focused down
00:00
here on the communication
00:00
between the universal forwarder,
00:00
indexers, and deployment server.
00:00
While t's important to know how
00:00
to go through a manual installation
00:00
of the universal forwarder,
00:00
another option to consider when
00:00
you get to a larger environment is
00:00
using a deployment tool like SCCM, Ansible, or chef.
00:00
To get started, I've got
00:00
two machines we'll be working from.
00:00
This Linux box is going to be my main Splunk server.
00:00
It holds the search head where we
00:00
can log into and run searches and
00:00
checks and also functions for
00:00
indexing and managing forwarders.
00:00
Then this Windows machine
00:00
is where we will be installing the universal forwarder.
00:00
To start off, I'm logged into splunk.com.
00:00
From here, we'll go to products,
00:00
Free Trial and download,
00:00
and then scroll down to where we
00:00
can download the universal forwarder.
00:00
Already downloaded it to save
00:00
us some time so I'm just going to hop into
00:00
my downloads folder here
00:00
and double-click on this shirt on it.
00:00
Except the licensing agreement, hit Next.
00:00
Create a username and password.
00:00
Like I mentioned, we're not
00:00
doing a distributed environment,
00:00
so our search head is
00:00
performing multiple roles including
00:00
that of a deployment server
00:00
so I put in the IP for that and
00:00
the default management IP of 8089 went next.
00:00
I'm also going to put it here as it works as an indexer.
00:00
Click Next and Install.
00:00
Click Yes on that and it's successfully installed.
00:00
I'm going to click Finish.
00:00
Once you've done the install,
00:00
something you'll probably want to do is
00:00
restart the Splunk servers.
00:00
I'm just going to open this up,
00:00
scroll down to Splunk for the service, Restart that.
00:00
Hop back to my Linux machine here.
00:00
We're going to go to Settings,
00:00
once we've logged into the web console and Forwarder
00:00
Management and it's not yet picking it up.
00:00
Sometimes it takes a second.
00:00
Let it there and do a couple of refreshes.
00:00
But now on the Forwarder Management we can
00:00
see this is the name of the host where
00:00
installed a universal forwarder
00:00
so it's successfully reporting
00:00
back to our deployment service/search head.
00:00
With that, we can say that we've
00:00
successfully completed the activity for this video.
00:00
The next video will be for Module 4,
00:00
we'll be working with data. Thanks for watching.
Up Next
Similar Content
