Time
1 hour 59 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
high in this video will monitor data using the universal foreigner we installed in the previous video
00:08
to start off. We'll talk about what Splunk configuration or comp files are.
00:14
Then we'll go into an example of monitoring some files by modifying input stock. Com file on the machine where I installed the Universal Florida
00:23
Then
00:25
we'll make sure we configure receiving honor Splunk server in order to get these logs.
00:32
Many, but not all configurations can be done on *** Web.
00:37
But if you want to pursue any kind of *** administration, you should not a modify these configuration files directly.
00:45
You do not want to change con files under the default folder. Instead, create a new file under the local directory
00:52
you might remember what stands is from literature class in a spoilt configuration. File stanzas are a section the star with brackets and contain configuration parameters.
01:03
Here's an example of two standards and a config file.
01:07
Sometimes you may need to restart Splunk after making changes. There are many different rules for when this occurs, but if you aren't seeing your changes, it maybe because blanc needs restarted in order for them to take effect.
01:21
There are many important config files, but inputs dot com is a good one to work with.
01:26
This file is located under ***. Home, which is
01:30
as a standard, is either opt slash blanc or program file flesh blunt and then e TC system local.
01:40
I'm gonna pull up the machine. Where have the universal four door installed?
01:47
I'm pretending there's important stuff in this folder here in this logs folder
01:55
and I want to collect it and ***. I've copied this file path
02:00
over to this, um,
02:01
no pads, and
02:05
it's in the right format for what? We would need
02:07
to copy it into the inputs dot com file.
02:12
Also given it an index where I want this data to go,
02:17
I need to run no pat as an administrator in order to save these changes
02:23
to the
02:23
proper location
02:25
in the splint config files. So I'm gonna I right click
02:30
on note pad and hit Runas Administrator.
02:34
And now I can go file open
02:38
and
02:39
brows too.
02:42
This PC
02:45
going T o c program files
02:49
Splunk Universal Foreigner
02:51
a t c
02:53
system
02:54
local.
02:55
And then I'm gonna change us from dot t x t to all files and now we see these in here?
03:02
Um,
03:04
so I automatically gave ah host name in this
03:07
impose dot com file. And now I want to add the extra pieces in here.
03:13
So I'm going to copy the thin
03:15
and click save,
03:20
and then I'm gonna open up. Service is right. Click on the *** Florida Service and click Restart.
03:30
Now, we want to make sure we're actually getting this data into this work Web interface
03:35
before I jump back. Thio, my sponsor, I want to go through a few reminders.
03:42
When we installed the Universal four ITER,
03:46
we said our deployment server was the same machine
03:50
as our search head in our index. Or so we've got it all in one. Ah, that *** server is functioning multiple roles. So when we installed the Universal Foreigner, we said,
04:01
That's our deployment server. And it uses the default management port of 80 89.
04:08
We also said that machine as an index, sir, that the Florida would send dated Thio over port 9997
04:15
If we go to our *** server here,
04:20
we can, um, go to settings for their management. Like we did what we install the Universal Foreigner and see that this host is reporting. So
04:30
it phoned home or it reported back
04:33
a minute ago. So it's communicating to this instance as, ah, deployment server.
04:42
However, we're not going to get any events that we just set up on our universal forger because flunk isn't yet configured to receive events. Oven indexer.
04:53
If I, uh, opened up a command prompt here
04:59
and run the nets Tact command, we can see the 80 89 ports
05:03
is our directly, um, set out being listened on. But there's nothing for a report nine and seven
05:12
to fix this. I'm gonna go back here,
05:15
go to settings,
05:17
fording and receiving,
05:21
but it can figure receiving
05:25
new receiving port
05:29
an intern. 9997 Which is what we set up on the Universal four order to send to you for
05:36
Ah, this server as an index, sir, I'm gonna save that.
05:42
Now, if I open up that command prompt again, run the Net Stat command again,
05:48
we see that it's not listening on that port.
05:54
So now if we go to the search and reporting AP,
06:02
we should be able to run a search for these events. So we set it up as in next two equals ms
06:10
and there's nothing here.
06:13
So what needs to happen next is we never actually configured that index So is trying to send to an index that, Dominic, this sort of your go to settings indexes,
06:27
and we're gonna create a new index.
06:29
We call that MS
06:30
for miscellaneous.
06:32
You must save that.
06:36
Go back to search in reporting.
06:42
And the other thing
06:43
that I needed you is hop over here and actually put something in this fuller. So now that this is being monitored, I'm just gonna save, um, a random note in there
06:54
so that we have something to see
06:58
on Splunk. So now when I run the search,
07:01
we just got this last thing that I added,
07:04
So this is kind of a silly example, but this is exactly what the same thing you would do if you were getting longs in this folder and things like that. From there we could go and break out the different fields like we talked about in the last video.
07:16
But we've successfully got
07:19
events into swung from our universal Ford er
07:24
that Ah, we got by monitoring a file path.
07:30
So
07:33
after modifying a com file you made to need to blank in order for the changes to take effect.
07:43
There are a few possible answers, like Saviour works a good one.
07:46
But the one I was looking for was Restart Splunk.
07:50
Thanks for watching. In the next video, we'll start Module five World
07:55
work to create alert searches, reports and dashboards.

Up Next

Introduction to Splunk

This Splunk training class is designed to quickly introduce you to Splunk and its many capabilities.

Instructed By

Instructor Profile Image
Natasha Staples
Incident Response Security Engineer at Arrow Electronics
Instructor