Configuring a Forwarder Lab
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
6 hours 3 minutes
Hello and welcome back to the Splunk Enterprise Administrator
course on Cyber. This video is gonna be a lab where we're gonna go over configuring a Splunk Universal foreigner, getting it set up to phone home to the deployment server on then receiving all of the configurations that it needs
to be a forwarder and to send logs into Splunk. And we would be able to
malady that we're receiving that data at the end
of the video as well. So
without further ado, let's get started. We're gonna review some of these APS that I've already set up in us. Plunk. So right now I'm on my deployment server. Get here. You just go settings. Ford or Management either have to have some maps in your deployment APS directory or some clients phoning home.
what I have so far is some baseline APS What? Splunk training and professional services will call these is based convicts. Basically. So there, the standard settings that you need to configure a Splunk component to be
that component to fulfill its purpose. So right now we have this deployment clients app, which is going to configure all clients, uh,
to phone home to this deployment server.
Then we have all 42 outputs, which will tell the foragers their outputs dot com configurations that they send their logs to the indexer. And then this is just a generic inputs app that we're going to use to test that everything is working.
So first thing, let's just quick review these files so
we'll go to that directory
and we will cat out all deployment clients default deployment client dot com So you can see it's just gonna point them to this server on the management port and have them phone home every 60 seconds.
Then, if you want to look at the all forwarders outputs, we've got this output stock comp configuration, which is defining the indexers and then telling it which default group to use this being the group name
on. Then we finally have our inputs, which
is just a small, discreet app containing an input stock Huff stock stanza that's gonna monitor the Windows security log. It's not disabled because we wanted to actually be doing something. It's going to send a main because that's the only index I really have figured right now, and we'll just set the source type to win event long,
so those air that configurations that are universal border we'll get as soon as they phone home because we already have the server classes in place, which are set to send to every thing that phones home at the moment. So
we will get our Universal Ford or set up now, so I'll show you
where to get that package. If you just search Splunk Universal for your package, it should be the first Google result.
This is important because the universal four days I've mentioned is a lighter weight install of Splunk, so you can't just use Splunk enterprise. You want this package for your forwarders because it's lightweight and just won't use much system. Resource is,
it's a little bit slow loading, but we'll get there.
I've already got this file downloaded ahead of time, but I just want to show you just for the sake of S O. You know, you just pick your operating system here. In my case, I am Windows 64 bit Windows 10. So I would hit download now, except that I've already downloaded this. So I'm not going to.
But then you just click it uh, it warns you that Hey, this is inexcusable. And that could be bad. But we trust this.
We'll check the box to agree with the license agreement. We're not using Spawn Cloud,
so we keep this checked,
we'll set our user name and a secure password.
not going to set the deployment server here because that would set it in a system local deployment client dot com. And if we do it that way, then we can't manage the configuration through our deployment server. So we're gonna skip this step and set up as an app manually. Same concept with this receiving indexer.
We're not going to figure this at all because we already have our APS configured
so that as soon as this forwarder phones home to the deployment server, it will get all the configurations it needs.
So now we'll do we install, allow that, do whatever it needs to do,
then a little bit of hurry up and wait.
So once those insults will just check to make sure that it's running so we'll go to services
and we'll look for Splunk Universal Foreigner,
South Medical. So should be ray here. So it is running So this is a Splunk universal forger. Now,
where you you can find this directory will be see
***, universal Florida
and we're gonna need to go into etc. APS and create a new app that is going to be used for configuring this as a deployment client to the deployment server.
The key here is that we needed to match the exact name of our app that we're gonna replace it with when it phones home.
So we'll copy that.
Come back to here,
make a default directory in here.
And then this is where we'll put our deployment client dot com.
We need a text editor note that I am running. This is administrator because otherwise I won't have access to right to this location.
And I don't actually know this setting off the top of my head.
So I tend to just look up the documentation
and I love these like Splunk has these in the admin manual. For all of the files. I used them constantly, and you probably should as well were very helpful. They'll go through everything you need to know about any configuration file and give you some examples
but I know that this is the setting that we need. So I'm gonna copy this over into my no pad plus. Plus,
I'm gonna remove this part because that is not relevant to me.
And copy the i p address of my device.
That's it. Now, just save this.
Um, I'm already in the proper directory. If not, you'd have to just locate it yourself.
We'll save it as a dot com.
We'll change this to dot stars so that it saves us a dot com found out a text file.
So now that's basically ready. We just need to,
um, restart this splitting service.
So there's a couple ways we can do that. I'm gonna do it through an administrative command. Prompt.
We'll just change directories to
program files. You need
the double quotes
to tell it that it's,
that the white space is part of the directory path. I didn't mean to hit Enter. There was maximum, but it doesn't really matter,
so we'll restart the service.
Seems we restart the service. We should hopefully start. See it phoning home
to our deployment server.
If it doesn't, there's a couple things we can check first. We need to make sure
uh, the APP is allowed through the firewall.
Blunk application is allowed, so
that should not be a problem.
The next step, I guess, would be to check to see
if we're listening.
So we are. We're listening for 80 89 right there.
So that should not be an issue.
Let's make sure that we save this in the right place.
Deployment clients duck off,
and we have the proper setting,
so that should be
We can, in our command, prompt. We can run a B tool to make sure
that are setting, is there
and it ISS.
that should be working.
we can try
removing this and then re adding it. And maybe that will address our issue
because this was from a previous install of
a split universal order, so that could cause some weirdness.
Let's see if that
Yep. And that did it. So now you can see we have one client phoning home
and three downloads. Each of these APS was deployed.
So if I come back and I check in my folder, you can see my APS now exist here.
So that also means if I were to run my be tool
and see my inputs
And let's just look for half equals
all windows inputs.
You can see that my settings were sent here.
So now we can look and search in Splunk
to see what longs we have. So we should be seeing
That's two all time. Maybe
there we go.
So now you can see we actually are receiving logs from this device.
So that's our windows. That's the inputs that we enabled. Then also we should be able to see
this is my host name. I just happen to know that we should see internal logs coming in as well and we dio So we've successfully set this device up as a universal Florida er and it's fording logs to our Splunk instance. Um, it's reporting to our deployment server. And as you can see,
this makes it very easy to get all your foreigners set up. So
all you need to do is have your app installed. So it points back to the deployment server and then it will automatically have the absent needs deployed to it. So now that thing is entirely configured. That's exactly what it needs to be to be a border, so that's perfect.
That's gonna wrap up this lab, and we'll keep working
on building out our Splunk deployment in the next videos. So I will see you then.