Saturday, January 2, 2016

Installing Splunk Forwarder on Ubuntu

Note: This post is Part 3 of the series on using Splunk in a Virtual Lab – The full series is Introduction, Part 1, Part 2, Part 3, and Part 4.

Install Splunk Universal Forwarder

Installation Site: Link

Download Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html

    1. Create a VM using Ubuntu
      2. Linux Note:
      (Part of my Security Lab) Below, you will find the VM system requirements.
      Name: lab_ubuntu_splunk
      Operating System: Ubuntu 14.04.3
      Base Memory (RAM): 1000 MB or 1GB
      Storage: 8.0 GB
      Network: NAT
    2. Wget the Universal Forwarder application from Splunk
    3. Install tar on Ubuntu VM: sudo apt-get install tar
    4. Extract the forwarder: sudo tar -xvzf splunkforwarder[...].tgz -C /opt/ (Note: this command has -C flag enabled)
    5. Move into the /opt/splunkforwarder/bin directory
    6. Run splunk start or splunk start --accept-license to start the Universal Forwarder
    7. [Optional] Create a login using the Splunk Web interface or using command line. I created a user, with username of "forwarder".
        8. Web Interface
      • Go to http://127.0.0.1:8000
      • Login if not authenticated
      • "Settings" (top right of screen
      • Under "User and Authentication", click "Access controls"
      • Under "Users" and Click "Add New"
        • Username: forwarder
        • Full Name: forwarder
        • Role: Admin (removed user)
        • Password: [create one]
    8. We need to add the Forwarder: splunk add forward-server <host>:<port> -auth <username>:<password>, default port number is 9997.
        splunk add forward-server 127.0.0.1:9997 -auth admin:<changeme> (forwarder login did not work)

Posted by at
Labels: , , , , ,

No comments :

Post a Comment