4.4 Inputs Monitoring

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 59 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Hi, in this video,
00:00
we'll monitor data using
00:00
the universal forwarder we installed in a previous video.
00:00
To start off, we'll talk about what
00:00
Splunk configuration or comp files are,
00:00
then we'll go into an example of monitoring some files by
00:00
modifying inputs.com file on
00:00
the machine where I installed the universal forwarder.
00:00
Then we'll make sure we can
00:00
figure receiving on our Splunk server
00:00
in order to get these logs.
00:00
Many but not all configurations can
00:00
be done on Splunk web,
00:00
but if you want to pursue any Splunk administration,
00:00
you should know how to modify
00:00
these configuration files directly.
00:00
You do not want to change
00:00
comp files under the default folder,
00:00
instead create a new file under the local directory.
00:00
You might remember what it stanza
00:00
is from literature class.
00:00
In a splint configuration file,
00:00
stanzas are section that start with
00:00
brackets and contain configuration parameters.
00:00
Here's an example of two stanzas and a config file.
00:00
Sometimes you may need to restart
00:00
Splunk after making changes.
00:00
There are many different rules for when this occurs,
00:00
but if you aren't seeing your changes,
00:00
it may be because Splunk needs
00:00
restarted in order for them to take effect.
00:00
There are many important config files,
00:00
but inputs.com is a good one to work with.
00:00
This file is located under
00:00
Splunk home which is as a standard is
00:00
either opt/Splunk or program file
00:00
slash Splunk and then ETC system local.
00:00
I'm going to pull up the machine where I have
00:00
the universal forwarder installed.
00:00
I'm pretending there's important stuff
00:00
in this folder here and this logs
00:00
folder and I want to collect it and Splunk.
00:00
I've copied this file path over to this notepads
00:00
and it's in the right format for what we
00:00
would need to copy it into the inputs.com file.
00:00
Also, given it an index where I want this data to go,
00:00
I need to run notepad as
00:00
an administrator in order to save
00:00
these changes to the proper location
00:00
in the Splunk config files.
00:00
I'm going to right click on notepad
00:00
and hit Run as administrator and
00:00
now I can go file open
00:00
and browse to this PC going to C,
00:00
Program files, Splunk Universal Forwarder,
00:00
ETC system local and then I'm going to change this from.
00:00
TXT to all files and now we see these in here.
00:00
It automatically gave a host name in this
00:00
inputs.com file and now I
00:00
want to add these extra pieces in here.
00:00
I'm going to copy this in and click
00:00
''Save'' and then I'm going to open up services,
00:00
right click on the Splunk Forwarder Service
00:00
and click ''Restart''.
00:00
Now we want to make sure we're actually getting
00:00
this data into the Splunk web interface.
00:00
Before I jump back to my Splunk server,
00:00
I want to go through a few reminders.
00:00
When we installed the universal forwarder,
00:00
we said our deployments server was
00:00
the same machine as our search head and our indexer,
00:00
so we've got an all-in-one that
00:00
Splunk server is functioning multiple roles.
00:00
When we installed the universal forwarder,
00:00
we said that's our deployment server
00:00
and it uses the default management port of 8089.
00:00
We also set that machine as an indexer
00:00
that the forwarder would send data to over port 9997.
00:00
If we go to our Splunk server here,
00:00
we can go to settings for the management like
00:00
we did when we installed
00:00
the universal forwarder and
00:00
see that this host is reporting,
00:00
so it phoned home or it reported back a minute ago.
00:00
It's communicating to this instance
00:00
as a deployment server.
00:00
However, we're not going to
00:00
get any events that we just set up on
00:00
our universal forwarder because Splunk
00:00
isn't yet configured to receive events as an indexer.
00:00
If I open up a command prompt
00:00
here and run the netstat command,
00:00
we can see the 8089 port
00:00
is automatically set up and being listened on,
00:00
but there's nothing for port 9997.
00:00
To fix this, I'm going to go back here,
00:00
go to settings,
00:00
forwarding and receiving,
00:00
go to configure receiving
00:00
new receiving port and enter 9997,
00:00
which is what we set up on the universal forwarder to
00:00
send to you for this server as an indexer.
00:00
I'm going to save that. Now if
00:00
I open up that command prompt again,
00:00
run the netstat command again,
00:00
we see that is now listening on that port.
00:00
Now if we go to the search and reporting app,
00:00
we should be able to run a search for these events.
00:00
We set it up as indexer equals
00:00
miss and there's nothing here.
00:00
What needs to happen next is we never
00:00
actually configured that index,
00:00
so it's trying to send to an index that doesn't exist.
00:00
I'm going to go to Settings indexes
00:00
and we're going to create a new index.
00:00
We call that miss for miscellaneous.
00:00
We are going to save that
00:00
then go back to search and reporting.
00:00
The other thing that I need to do is hop over here
00:00
and actually put something in
00:00
this folder so now that this is being monitored,
00:00
I'm just going to save a random note in there so that we
00:00
have something to see on Splunk.
00:00
Now when I run the search,
00:00
we just got this last thing that I added.
00:00
This is a silly example,
00:00
but this is exactly
00:00
the same thing you would do if you were
00:00
getting logs in this folder and things like that.
00:00
From there, we could go and break out
00:00
the different fields like we talked
00:00
about in the last video,
00:00
but we've successfully got events into Splunk from
00:00
our universal forwarder that
00:00
we got by monitoring a file path.
00:00
After modifying a comp file,
00:00
you may need to blank
00:00
in order for the changes to take effect.
00:00
There are a few possible answers like save your work,
00:00
it's a good one, but the one I was
00:00
looking for was restart Splunk.
00:00
Thanks for watching. In the next video we'll start
00:00
Module 5 where we'll work to create alerts,
00:00
searches, reports, and dashboards.
Up Next