Ingesting logs in Splunk
Part 6a- Ingesting logs in Splunk
Part 6- Ingesting logs in Splunk
For log activities to be pushed from the DC to our SIEM (Splunk), we have to use a universal forwarder. The universal forwarder is like an agent that can be installed on Windows, Linux, and Mac endpoints to send logs to our Splunk instance.
On your domain controller. We need to get a better Browser. So see if you have Edge or can download it. IE may be locked down so you can go to Internet Options > Security > Disable protected mode or click custom level>scroll down and then enable file downloads.
Navigate to google.com. Type in Splunk universal forwarder. Once you get on the site, log on and download the Splunk universal forwarder to the DC.
Click on the second option. Then accept the terms.
Once it is downloaded we have to log into to your Splunk machine and log on to Splunk.
From there navigate to Settings > Forward and receiving > Configure receiving.
Then in the top right we click new receiving port.
Enter 9997 and then click save. So now Splunk will be listening for inbound connections from or Universal forwarder on port 9997.
Next thing we will create is called an index for our windows event logs. Indexes are essentially blocks of storage where logs go to and then we can use search heads to search from the indexes.
So in Settings we go to indexes and then create a new index and name it WinEvents and then just save.
We can go back to the DC and go to Downloads and begin to install the universal forwarder.
Check the box to accept the license agreement.
Below use the same credentials as the one you have set for the Splunk instance.
The wizard will next prompt for the IP for the Splunk Server to where the Winevent logs will be forwarded and for this we should use the IP of our Splunk machine.
However, there is a problem.
Currently, the Splunk box is connected to the VMware NAT network (reference route 1 in the image below). This is why the IP of the Splunk machine is on the same subnet as the WAN (emo) interface of the pfSense firewall . However, I want it to sit behind the firewall on VMnet6 because I believe it better simulates a real world corporate network. This way, traffic from the DC will stay on the inside of the corporate network (reference route 2 in the image below) rather than ending up on the VMware NAT network which is similar to the internet.
Therefore, our goal, prior to entering the IP for our Splunk machine in the wizard, is to perform a network cutover (network migration) of the Splunk box from the NAT network to VMnet 6 which is the image in our topology.
*Alright, this is where things got a little crazy so check out the B part to Part 6 of this series Troubleshooting in my homelab*