Skip to main content

Splunk Universal Forwarder – Windows


To collect log information from a stand alone Windows (Vista in this case) workstation, download and install the Splunk Universal Forwarder

splunk-4.3-115073-x86-release.msi

Follow the install configuration and select the WindowsEventLog : Security and whatever performance monitoring is required. Enter the IP address of the Splunk indexer/search head and the host IP address as directed. If the default port (9997) was selected ensure that the indexer firewall is set to allow connections from the forwarder on this port.

In addition to the standard windows event logs:
  • Application log (tracks events that occur in a registered application)
  • Security log (tracks security changes and possible breaches in security)
  • System log (tracks system events)
a couple of useful logs to forward are the windows update log and the windows firewall log. Start Notepad and run as administrator. Open C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and edit as follows:

[default]
host = acer-expire

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0

[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
disabled = 0

[monitor:C:\Windows\System32\LogFiles\Firewall\pfirewall.log]
sourcetype = WindowsFirewallLog
disabled = 0

Note enable windows firewall logging as follows:
  1. Click Start, All Programs, and search for Administrative Tools.
  2. Select Windows Firewall with Advanced Security.
  3. Right click Windows Firewall with advanced security on local computer.
  4. Select Properties and Profile tabs. customise logging.
  5. Select log dropped packets and log successful connections.
  6. Click OK.
Start Windows Task Manager and restart SplunkForwarder service.

NB The Splunk Universal Forwarder for windows must run as local admin, in order to forward the above logs. Linux/Solaris forwarders do not need to and should not run as root, but log group permissions may need to change to forward some logs.
Labels:

Comments

Post a Comment

Popular posts from this blog

Digital Bandpass Filter FIR design - Python

The python code generates the Finite Impulse Response (FIR) filter coefficients for a lowpass filter (LPF) at 10 (Hz) cut off using firwin from scipy.  A highpass filter is then created by subtracting the lowpass filter output(s) from the output of an allpass filter. To do this the coefficients of the LPF are multiplied by -1 and 1 added to the centre tap (to create the allpass filter with subtraction). A second LPF is then created with a cutoff at 15 (Hz) and the bandpass filter formed by addition of the LPF and HPF coefficients. The program also generates a test sine wave of a given amplitude and power and to this noise from a Normal distribution is added.  The graph below shows the signal and nois, and the signal (green) after filtering. The input snr is approximately 3dB. The frequency response below shows the passband centered on 12.5 (Hz), the Nyquist frequency is 50 (Hz). from numpy import cos, sin, pi, absolute, arange from numpy.random import normal fr...
Post a Comment
Read more

FT 817 Power Amplifier

This very simple 2 Fet power amplifier easily achieves 250W output with an FT817 5W drive. The key design details as follows: 3:1 broadband input transformer matches the 5.5 ohm gate load resistor (4 x 22 ohms in parallel) to the 50 ohms required by the FT817 . The 4:1 output broadband transformer presents 3 ohms (16:1 impedance ratio) to the balanced HEXFET pair each mounted on a 3mm copper heat spreader which is insulated from the 2 1w/degC heatsinks. These are blown cool by a fan underneath. The power supply required is 28v at 30 amps. The amp is around 50% efficient with a standing 750mAmp temperature compensated bias. An IC 703, with 10watts output will drive the output to around 400 watts. The output filter shown is a 5 pole topband filter with T130-2 torroids and 400v silver mica caps. Peak output voltage on 160 metres with 5 watts drive is 160v or 320v p-p in 50 ohms equating to 250watts. This is slightly higher than the reading on the 3kw MFJ power meter. The inline F...
4 comments
Read more

Splunk Cheat Sheet (Linux)

1. set root's password:  sudo su passwd root Enter new UNIX password: < new_root_password > Retype new UNIX password: < new_root_password > passwd: password updated successfully # su - 2. Remove any existing Splunk directories & create user etc: # rm -rf /opt/splunkforwarder # userdel -r splunk # this will remove as above if user splunk's home directory # groupadd siem # useradd -g siem -s /bin/bash -d /home/siem -m siem # vi ~/.profile # chage -I -1 -m -0 -M -99999 -E -1 siem If above fails because of multiple passwd fails: # pam_tally --reset check with #chage -l siem # uname -a # check OS version # dpkg -i splunk-4.3.1...........intel.deb # chown -R siem:siem /opt/splunk # su - siem : $SPLUNK_HOME/bin/splunk start --accept-license : $SPLUNK_HOME/bin/splunk edit user admin -password newpassword -role admin -auth admin:changeme 3. vi ~/.profile (as follows) (OR .bash_profile) # ~/.profile: executed by the command interpreter for log...
1 comment
Read more