Configuring a Forwarder Lab

00:00

Hello and welcome back to the Splunk Enterprise Administrator

00:04

course on Cyber. This video is gonna be a lab where we're gonna go over configuring a Splunk Universal foreigner, getting it set up to phone home to the deployment server on then receiving all of the configurations that it needs

00:19

to be a forwarder and to send logs into Splunk. And we would be able to

00:25

malady that we're receiving that data at the end

00:28

of the video as well. So

00:31

without further ado, let's get started. We're gonna review some of these APS that I've already set up in us. Plunk. So right now I'm on my deployment server. Get here. You just go settings. Ford or Management either have to have some maps in your deployment APS directory or some clients phoning home.

00:50

So

00:51

what I have so far is some baseline APS What? Splunk training and professional services will call these is based convicts. Basically. So there, the standard settings that you need to configure a Splunk component to be

01:08

that component to fulfill its purpose. So right now we have this deployment clients app, which is going to configure all clients, uh,

01:19

to phone home to this deployment server.

01:23

Then we have all 42 outputs, which will tell the foragers their outputs dot com configurations that they send their logs to the indexer. And then this is just a generic inputs app that we're going to use to test that everything is working.

01:38

So first thing, let's just quick review these files so

01:45

we'll go to that directory

01:47

clima naps,

01:48

and we will cat out all deployment clients default deployment client dot com So you can see it's just gonna point them to this server on the management port and have them phone home every 60 seconds.

02:02

Then, if you want to look at the all forwarders outputs, we've got this output stock comp configuration, which is defining the indexers and then telling it which default group to use this being the group name

02:19

on. Then we finally have our inputs, which

02:23

is just a small, discreet app containing an input stock Huff stock stanza that's gonna monitor the Windows security log. It's not disabled because we wanted to actually be doing something. It's going to send a main because that's the only index I really have figured right now, and we'll just set the source type to win event long,

02:43

so those air that configurations that are universal border we'll get as soon as they phone home because we already have the server classes in place, which are set to send to every thing that phones home at the moment. So

03:00

we will get our Universal Ford or set up now, so I'll show you

03:04

where to get that package. If you just search Splunk Universal for your package, it should be the first Google result.

03:12

This is important because the universal four days I've mentioned is a lighter weight install of Splunk, so you can't just use Splunk enterprise. You want this package for your forwarders because it's lightweight and just won't use much system. Resource is,

03:29

it's a little bit slow loading, but we'll get there.

03:32

I've already got this file downloaded ahead of time, but I just want to show you just for the sake of S O. You know, you just pick your operating system here. In my case, I am Windows 64 bit Windows 10. So I would hit download now, except that I've already downloaded this. So I'm not going to.

03:50

But then you just click it uh, it warns you that Hey, this is inexcusable. And that could be bad. But we trust this.

03:59

We'll check the box to agree with the license agreement. We're not using Spawn Cloud,

04:05

so we keep this checked,

04:09

we'll set our user name and a secure password.

04:15

Hopes

04:21

not going to set the deployment server here because that would set it in a system local deployment client dot com. And if we do it that way, then we can't manage the configuration through our deployment server. So we're gonna skip this step and set up as an app manually. Same concept with this receiving indexer.

04:41

We're not going to figure this at all because we already have our APS configured

04:45

so that as soon as this forwarder phones home to the deployment server, it will get all the configurations it needs.

04:53

So now we'll do we install, allow that, do whatever it needs to do,

05:00

then a little bit of hurry up and wait.

05:05

So once those insults will just check to make sure that it's running so we'll go to services

05:13

and we'll look for Splunk Universal Foreigner,

05:15

South Medical. So should be ray here. So it is running So this is a Splunk universal forger. Now,

05:23

where you you can find this directory will be see

05:27

program files,

05:29

***, universal Florida

05:32

and we're gonna need to go into etc. APS and create a new app that is going to be used for configuring this as a deployment client to the deployment server.

05:43

The key here is that we needed to match the exact name of our app that we're gonna replace it with when it phones home.

05:49

So we'll copy that.

05:53

Come back to here,

05:56

create that

05:59

make a default directory in here.

06:00

And then this is where we'll put our deployment client dot com.

06:06

We need a text editor note that I am running. This is administrator because otherwise I won't have access to right to this location.

06:14

And I don't actually know this setting off the top of my head.

06:18

So I tend to just look up the documentation

06:25

and I love these like Splunk has these in the admin manual. For all of the files. I used them constantly, and you probably should as well were very helpful. They'll go through everything you need to know about any configuration file and give you some examples

06:39

but I know that this is the setting that we need. So I'm gonna copy this over into my no pad plus. Plus,

06:45

I'm gonna remove this part because that is not relevant to me.

06:50

And copy the i p address of my device.

06:55

That's it. Now, just save this.

06:58

Um, I'm already in the proper directory. If not, you'd have to just locate it yourself.

07:04

We'll save it as a dot com.

07:06

We'll change this to dot stars so that it saves us a dot com found out a text file.

07:13

So now that's basically ready. We just need to,

07:16

um, restart this splitting service.

07:19

So there's a couple ways we can do that. I'm gonna do it through an administrative command. Prompt.

07:27

We'll just change directories to

07:31

program files. You need

07:34

the double quotes

07:36

to tell it that it's,

07:39

um,

07:40

that the white space is part of the directory path. I didn't mean to hit Enter. There was maximum, but it doesn't really matter,

07:50

so we'll restart the service.

07:55

Seems we restart the service. We should hopefully start. See it phoning home

08:00

to our deployment server.

08:05

If it doesn't, there's a couple things we can check first. We need to make sure

08:09

that,

08:11

uh, the APP is allowed through the firewall.

08:20

Blunk application is allowed, so

08:24

that should not be a problem.

08:26

Yeah.

08:28

The next step, I guess, would be to check to see

08:33

if we're listening.

08:39

So we are. We're listening for 80 89 right there.

08:43

So that should not be an issue.

08:46

Let's make sure that we save this in the right place.

08:50

Deployment clients duck off,

08:56

and we have the proper setting,

09:01

so that should be

09:03

working.

09:05

We can, in our command, prompt. We can run a B tool to make sure

09:11

that are setting, is there

09:16

and it ISS.

09:18

So

09:20

that should be working.

09:28

Ah,

09:33

we can try

09:35

removing this and then re adding it. And maybe that will address our issue

09:43

because this was from a previous install of

09:48

a split universal order, so that could cause some weirdness.

09:52

Let's see if that

09:56

Yep. And that did it. So now you can see we have one client phoning home

10:01

and three downloads. Each of these APS was deployed.

10:05

So if I come back and I check in my folder, you can see my APS now exist here.

10:11

So that also means if I were to run my be tool

10:15

and see my inputs

10:18

And let's just look for half equals

10:26

all windows inputs.

10:30

You can see that my settings were sent here.

10:33

So now we can look and search in Splunk

10:37

to see what longs we have. So we should be seeing

10:48

That's two all time. Maybe

10:52

there we go.

10:52

So now you can see we actually are receiving logs from this device.

10:58

So that's our windows. That's the inputs that we enabled. Then also we should be able to see

11:05

this is my host name. I just happen to know that we should see internal logs coming in as well and we dio So we've successfully set this device up as a universal Florida er and it's fording logs to our Splunk instance. Um, it's reporting to our deployment server. And as you can see,

11:24

this makes it very easy to get all your foreigners set up. So

11:28

all you need to do is have your app installed. So it points back to the deployment server and then it will automatically have the absent needs deployed to it. So now that thing is entirely configured. That's exactly what it needs to be to be a border, so that's perfect.

11:43

That's gonna wrap up this lab, and we'll keep working