Kicking off the second part of setting up Splunk in my home lab, I will be installing the Splunk app and a universal forwarder on the Windows 2012 server from which I want to index logs. If you do not have a Splunk server up and running in your lab, check out my first post “Splunk in My Homelab: Part One” at https://jamey.info/splunk-in-my-homelab/.
From your Splunk web console choose Splunk Apps.
Now search the apps using Windows as your search term. The official Splunk app is called Splunk Addon for Microsoft Windows. Installing this prepares Splunk to accept machine data from a Windows source.
After selecting install, you will be prompted to login to Splunkbase using your Splunk account and then prompted to restart Splunk. Once Splunk is back up and running, log back into the server. Next we will be configuring a listening port to receive the Windows data. From the Splunk home screen, click settings, then choose “forwarding and receiving”.
Now click the blue hyperlink “Configure receiving”.
Enter the port number on which you want Splunk to listen. I chose the default Splunk listening port 9997.
Now the Splunk server is prepared to receive data to index. Next, move to installing the forwarder on the windows server you want to collect data from.
First, go to https://www.splunk.com/en_us/download/universal-forwarder.html and download the universal forwarder that is appropriate for the OS you will exporting data from. I chose Windows 64-bit. Splunk recommends not installing the 32-bit version on 64-bit machines.
Now run the MSI locally on the Windows server. Accept the license and choose customize options.
I ran it as a local system account. If you have an internal domain, check out this link for best practices on using domain accounts. Link
Choose what data you want exported. I chose a lot. Be aware that the system log on Windows will generate a ton of data.
Finally, I pointed it at my Splunk server. If you used anything besides the default port when setting up the listener on the Splunk server, then enter it in the box. Otherwise, leave it blank.
Now navigate to your search app and host=”windows server name”. It may take a few minutes to populate. Now that we have everything up and running, we will be focusing on Splunk search in the next post.