Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome back to the Splunk Enterprise Administrator
00:04
course on Cyber. This video is gonna be a lab where we're gonna go over configuring a Splunk Universal foreigner, getting it set up to phone home to the deployment server on then receiving all of the configurations that it needs
00:19
to be a forwarder and to send logs into Splunk. And we would be able to
00:25
malady that we're receiving that data at the end
00:28
of the video as well. So
00:31
without further ado, let's get started. We're gonna review some of these APS that I've already set up in us. Plunk. So right now I'm on my deployment server. Get here. You just go settings. Ford or Management either have to have some maps in your deployment APS directory or some clients phoning home.
00:50
So
00:51
what I have so far is some baseline APS What? Splunk training and professional services will call these is based convicts. Basically. So there, the standard settings that you need to configure a Splunk component to be
01:08
that component to fulfill its purpose. So right now we have this deployment clients app, which is going to configure all clients, uh,
01:19
to phone home to this deployment server.
01:23
Then we have all 42 outputs, which will tell the foragers their outputs dot com configurations that they send their logs to the indexer. And then this is just a generic inputs app that we're going to use to test that everything is working.
01:38
So first thing, let's just quick review these files so
01:45
we'll go to that directory
01:47
clima naps,
01:48
and we will cat out all deployment clients default deployment client dot com So you can see it's just gonna point them to this server on the management port and have them phone home every 60 seconds.
02:02
Then, if you want to look at the all forwarders outputs, we've got this output stock comp configuration, which is defining the indexers and then telling it which default group to use this being the group name
02:19
on. Then we finally have our inputs, which
02:23
is just a small, discreet app containing an input stock Huff stock stanza that's gonna monitor the Windows security log. It's not disabled because we wanted to actually be doing something. It's going to send a main because that's the only index I really have figured right now, and we'll just set the source type to win event long,
02:43
so those air that configurations that are universal border we'll get as soon as they phone home because we already have the server classes in place, which are set to send to every thing that phones home at the moment. So
03:00
we will get our Universal Ford or set up now, so I'll show you
03:04
where to get that package. If you just search Splunk Universal for your package, it should be the first Google result.
03:12
This is important because the universal four days I've mentioned is a lighter weight install of Splunk, so you can't just use Splunk enterprise. You want this package for your forwarders because it's lightweight and just won't use much system. Resource is,
03:29
it's a little bit slow loading, but we'll get there.
03:32
I've already got this file downloaded ahead of time, but I just want to show you just for the sake of S O. You know, you just pick your operating system here. In my case, I am Windows 64 bit Windows 10. So I would hit download now, except that I've already downloaded this. So I'm not going to.
03:50
But then you just click it uh, it warns you that Hey, this is inexcusable. And that could be bad. But we trust this.
03:59
We'll check the box to agree with the license agreement. We're not using Spawn Cloud,
04:05
so we keep this checked,
04:09
we'll set our user name and a secure password.
04:15
Hopes
04:21
not going to set the deployment server here because that would set it in a system local deployment client dot com. And if we do it that way, then we can't manage the configuration through our deployment server. So we're gonna skip this step and set up as an app manually. Same concept with this receiving indexer.
04:41
We're not going to figure this at all because we already have our APS configured
04:45
so that as soon as this forwarder phones home to the deployment server, it will get all the configurations it needs.
04:53
So now we'll do we install, allow that, do whatever it needs to do,
05:00
then a little bit of hurry up and wait.
05:05
So once those insults will just check to make sure that it's running so we'll go to services
05:13
and we'll look for Splunk Universal Foreigner,
05:15
South Medical. So should be ray here. So it is running So this is a Splunk universal forger. Now,
05:23
where you you can find this directory will be see
05:27
program files,
05:29
***, universal Florida
05:32
and we're gonna need to go into etc. APS and create a new app that is going to be used for configuring this as a deployment client to the deployment server.
05:43
The key here is that we needed to match the exact name of our app that we're gonna replace it with when it phones home.
05:49
So we'll copy that.
05:53
Come back to here,
05:56
create that
05:59
make a default directory in here.
06:00
And then this is where we'll put our deployment client dot com.
06:06
We need a text editor note that I am running. This is administrator because otherwise I won't have access to right to this location.
06:14
And I don't actually know this setting off the top of my head.
06:18
So I tend to just look up the documentation
06:25
and I love these like Splunk has these in the admin manual. For all of the files. I used them constantly, and you probably should as well were very helpful. They'll go through everything you need to know about any configuration file and give you some examples
06:39
but I know that this is the setting that we need. So I'm gonna copy this over into my no pad plus. Plus,
06:45
I'm gonna remove this part because that is not relevant to me.
06:50
And copy the i p address of my device.
06:55
That's it. Now, just save this.
06:58
Um, I'm already in the proper directory. If not, you'd have to just locate it yourself.
07:04
We'll save it as a dot com.
07:06
We'll change this to dot stars so that it saves us a dot com found out a text file.
07:13
So now that's basically ready. We just need to,
07:16
um, restart this splitting service.
07:19
So there's a couple ways we can do that. I'm gonna do it through an administrative command. Prompt.
07:27
We'll just change directories to
07:31
program files. You need
07:34
the double quotes
07:36
to tell it that it's,
07:39
um,
07:40
that the white space is part of the directory path. I didn't mean to hit Enter. There was maximum, but it doesn't really matter,
07:50
so we'll restart the service.
07:55
Seems we restart the service. We should hopefully start. See it phoning home
08:00
to our deployment server.
08:05
If it doesn't, there's a couple things we can check first. We need to make sure
08:09
that,
08:11
uh, the APP is allowed through the firewall.
08:20
Blunk application is allowed, so
08:24
that should not be a problem.
08:26
Yeah.
08:28
The next step, I guess, would be to check to see
08:33
if we're listening.
08:39
So we are. We're listening for 80 89 right there.
08:43
So that should not be an issue.
08:46
Let's make sure that we save this in the right place.
08:50
Deployment clients duck off,
08:56
and we have the proper setting,
09:01
so that should be
09:03
working.
09:05
We can, in our command, prompt. We can run a B tool to make sure
09:11
that are setting, is there
09:16
and it ISS.
09:18
So
09:20
that should be working.
09:28
Ah,
09:33
we can try
09:35
removing this and then re adding it. And maybe that will address our issue
09:43
because this was from a previous install of
09:48
a split universal order, so that could cause some weirdness.
09:52
Let's see if that
09:56
Yep. And that did it. So now you can see we have one client phoning home
10:01
and three downloads. Each of these APS was deployed.
10:05
So if I come back and I check in my folder, you can see my APS now exist here.
10:11
So that also means if I were to run my be tool
10:15
and see my inputs
10:18
And let's just look for half equals
10:26
all windows inputs.
10:30
You can see that my settings were sent here.
10:33
So now we can look and search in Splunk
10:37
to see what longs we have. So we should be seeing
10:48
That's two all time. Maybe
10:52
there we go.
10:52
So now you can see we actually are receiving logs from this device.
10:58
So that's our windows. That's the inputs that we enabled. Then also we should be able to see
11:05
this is my host name. I just happen to know that we should see internal logs coming in as well and we dio So we've successfully set this device up as a universal Florida er and it's fording logs to our Splunk instance. Um, it's reporting to our deployment server. And as you can see,
11:24
this makes it very easy to get all your foreigners set up. So
11:28
all you need to do is have your app installed. So it points back to the deployment server and then it will automatically have the absent needs deployed to it. So now that thing is entirely configured. That's exactly what it needs to be to be a border, so that's perfect.
11:43
That's gonna wrap up this lab, and we'll keep working
11:48
on building out our Splunk deployment in the next videos. So I will see you then.

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor