PingIntelligence

Installing and configuring the Splunk Universal Forwarder

Install and configure the Splunk Universal Forwarder to collect attack data and forward it to the Splunk Server.

Steps

  1. Download Splunk Universal Forwarder 8.0.0. For more information, see Splunk® Universal Forwarder Manual.

  2. Install the Splunk Universal Forwarder by entering the following command.

    [root@ABS]# tar -xvf splunkforwarder-8.0.0-8c86330ac18-Linux-x86_64.tgz
splunkforwarder/
splunkforwarder/share/

    Replace the file name given in the example command with the name of the file you downloaded in step 1.

  3. Start the Splunk Universal Forwarder.

    [root@ABS]# cd splunkforwarder/bin
[root@ABS]# ./splunk start --accept-license

  4. Add forward server details (the receiver host and port in Splunk).

    Example:

    [root@dashboard]# ./splunk add forward-server ip:port

Splunk username: admin Password: Added forwarding to: 192.168.1.158:9997.

    Enable the receiving port in Splunk. For example, configure port number 9997 from the previous example in your Splunk deployment.

  5. Edit the inputs.conf file on your Splunk Universal Forwarder as shown in the following example.

    Example:

    [root@ABS]# ./splunk add monitor /opt/pingidentity/splunk/data/
Added monitor of '/opt/pingidentity/splunk/data/'.

  6. Edit the inputs.conf file on your Splunk Universal Forwarder.

    [root@dashboard]# cat /opt/splunkforwarder/etc/apps/search/local/inputs.conf

[monitor:///opt/pingidentity/pingidentity/dataengine/logs/attack.log/]

index = pi_events
sourcetype=pi_events_source_type
disabled = false

  7. Restart the Splunk Universal Forwarder.

    [root@ABS]# ./splunk restart

  8. Verify if data is flowing to Splunk on the Splunk Dashboard.

    Attack data captured in Splunk

    Troubleshooting:

    If no data is available in Splunk, check your firewall settings.