Splunk forwarder

A Splunk forwarder is like a agent in Wazuh Siem. It is a piece of software the runs on a remote machine/client that sends data back to a central server

Getting data into Splunk EnterpriseSplunk Lantern

Server Prep

1. make sure the port you are using on the server to receive data is not blocked by firewall, typically it is

   1. open a firewall port in windows:

   https://ec.europa.eu/digital-building-blocks/sites/display/CEKB/How+to+open+a+port+on+the+firewall

2. in splunk make sure you add a receiving port under settings > forward and receiving

   1. click add new

1. add what ever port you want and click save, 9997 is the default

Client Install

1. Download the splunk forwarder. You need to have a splunk user and pass to proceed to the download link

   1. make sure transfer or download to the client machine you want to run it

Download Universal Forwarder for Remote Data Collection | SplunkSplunk

1. When starting the executable

   1. check the box to except the license

   2. for this one we select on-prem

   3. click Customize Options

1. Unless you have a SSL Cert or know what it is, leave this blank

1. Select virtual account

1. Leave all this default

1. Select the options you want to monitor

   1. Performance monitors with run a lot and fill up your logs

1. add a user and password

   1. usually you would use the same one for multiple endpoints

1. If you don't have a deployment server you can skip this

1. this is your splunk server IP and listening port you set up in server

1. install

Troubleshooting

• if you see this just hit OK some times it works after that other times it will start to roll back. If it has rolled back restart the computer and try again.

• if successful you are good