Existing Splunk server on Linux


Existing Splunk server on Linux

k

I've gone through the doco and setup Supercharger and Splunk on a Windows server and it works as your doco and webinar.

However I have an existing Splunk server installed onto a Linux server and was wondering if I could use that instead?
Tried installing a Splunk forwarder on the WEC server, however I don't seem to be able to send the events to this remote Splunk server. Have installed the Logbinder for Splunk on it as an app.

Any ideas or info would be appreciated.

Great products by the way, once I got my head around it all it really is nice.
Thanks
i

kdp - 8/16/2017
I've gone through the doco and setup Supercharger and Splunk on a Windows server and it works as your doco and webinar.

However I have an existing Splunk server installed onto a Linux server and was wondering if I could use that instead?
Tried installing a Splunk forwarder on the WEC server, however I don't seem to be able to send the events to this remote Splunk server. Have installed the Logbinder for Splunk on it as an app.

Any ideas or info would be appreciated.

Great products by the way, once I got my head around it all it really is nice.
Thanks

>I have an existing Splunk server installed onto a Linux server and was wondering if I could use that instead?

Confirmed, you could use also that Linux server.

>Tried installing a Splunk forwarder on the WEC server, however I don't seem to be able to send the events to this remote Splunk server. 

It should work with the forwarder both the inputs.conf and outputs.conf are configured correctly.

>Have installed the Logbinder for Splunk on it as an app.

  Was it added to the forwarder? In that case in the app's input.conf the following is monitored :
[WinEventLog://Supercharger-Destination-ADChanges/Log]

by default in is sending data to index=main

On the forwarder also the destination server should be configured. Is the linux server receiving anything from the forwarder?
k

imrago - 8/16/2017
kdp - 8/16/2017
I've gone through the doco and setup Supercharger and Splunk on a Windows server and it works as your doco and webinar.

However I have an existing Splunk server installed onto a Linux server and was wondering if I could use that instead?
Tried installing a Splunk forwarder on the WEC server, however I don't seem to be able to send the events to this remote Splunk server. Have installed the Logbinder for Splunk on it as an app.

Any ideas or info would be appreciated.

Great products by the way, once I got my head around it all it really is nice.
Thanks

>I have an existing Splunk server installed onto a Linux server and was wondering if I could use that instead?

Confirmed, you could use also that Linux server.

>Tried installing a Splunk forwarder on the WEC server, however I don't seem to be able to send the events to this remote Splunk server. 

It should work with the forwarder both the inputs.conf and outputs.conf are configured correctly.

>Have installed the Logbinder for Splunk on it as an app.

  Was it added to the forwarder? In that case in the app's input.conf the following is monitored :
[WinEventLog://Supercharger-Destination-ADChanges/Log]

by default in is sending data to index=main

On the forwarder also the destination server should be configured. Is the linux server receiving anything from the forwarder?

Thanks for your help, I've ended up loading Splunk for Windows on the same box as my Collector/Supercharger as it's mostly working with that setup. I did see all the Windows Event logs appearing in my Splunk on Linux, however the Logbinder AD app didn't display any data/charts.

Sorry one more question, I don't appear to see all items showing up in Logbinder app. I do see Account Changes, Group Changes and Domain Policy Changes (Charts). However I don't see any Group Policy changes, even though I've made several GPO changes and see the event logs coming in of 5136 and also see these logs appear in Splunk, just not the Logbinder chart section of the app. In addition, I don't see the details that Randy was demonstrating in his webinar for Splunk such as table details e.g. Groups with membership changes and most active members.

Many thanks
Keith


i

>Thanks for your help, I've ended up loading Splunk for Windows on the same box as my Collector/Supercharger as it's mostly working with that setup. I did see all the Windows Event logs appearing in my Splunk on Linux, however the Logbinder AD app didn't display any data/charts.

Were you seeing the forwarded events in the linux server? The events to be visible in the Logbinder app it is important that the sourcetype is set like this : "sourcetype=logbinder:syslog"
Please verify that, perhaps the forwarder is setting some other sourcetype.

Another thing to check if on the linux server is if the events are forwarded either to main or wineventlog indexes. Only those two are searched by default.
i

I don't see any Group Policy changes, even though I've made several GPO changes and see the event logs coming in of 5136 and also see these logs appear in Splunk, just not the Logbinder chart section of the app.

Not all 5136 are in the charts, only the significant ones, for example :

events where EventCode=5136  and ObjectClass=groupPolicyContainer and are received from a domain controller will be visible as "Modify GPO".

Or try to create or delete a GPO, that would also show up.


i

>I don't see the details that Randy was demonstrating in his webinar for Splunk such as table details e.g. Groups with membership changes and most active members.

That should be visible in this dashboard :

Active Directory Changes -> Groups

  is that dashboard populated?


k

imrago - 8/18/2017
I don't see any Group Policy changes, even though I've made several GPO changes and see the event logs coming in of 5136 and also see these logs appear in Splunk, just not the Logbinder chart section of the app.

Not all 5136 are in the charts, only the significant ones, for example :

events where EventCode=5136  and ObjectClass=groupPolicyContainer and are received from a domain controller will be visible as "Modify GPO".

Or try to create or delete a GPO, that would also show up.


I created a Test GPO and in the event log collector received 4932, 4739, 4611 and 5136 all indicated at the time I created this test GPO. However nothing is showing up in the Group Policy area of Splunk Logbinder app - it just displays "No results found".

I also see these in the Splunk "Search & Reporting" area with the source and type of:
source = WinEventLog:Supercharger-Destination-ADChanges/Log sourcetype = WinEventLog:Security
It's like the Logbinder app doesn't see these events for some reason?

This is with the Splunk installed on the Windows box which has Supercharger installed and is the WEC - so not my Linux box, want to get this working first before getting back the Linux box.


k

imrago - 8/18/2017
>I don't see the details that Randy was demonstrating in his webinar for Splunk such as table details e.g. Groups with membership changes and most active members.

That should be visible in this dashboard :

Active Directory Changes -> Groups

  is that dashboard populated?


It's only partly populated, don't see Account names just that I removed or added a group.
i

kdp - 8/18/2017
imrago - 8/18/2017
I don't see any Group Policy changes, even though I've made several GPO changes and see the event logs coming in of 5136 and also see these logs appear in Splunk, just not the Logbinder chart section of the app.

Not all 5136 are in the charts, only the significant ones, for example :

events where EventCode=5136  and ObjectClass=groupPolicyContainer and are received from a domain controller will be visible as "Modify GPO".

Or try to create or delete a GPO, that would also show up.


I created a Test GPO and in the event log collector received 4932, 4739, 4611 and 5136 all indicated at the time I created this test GPO. However nothing is showing up in the Group Policy area of Splunk Logbinder app - it just displays "No results found".

I also see these in the Splunk "Search & Reporting" area with the source and type of:
source = WinEventLog:Supercharger-Destination-ADChanges/Log sourcetype = WinEventLog:Security
It's like the Logbinder app doesn't see these events for some reason?

This is with the Splunk installed on the Windows box which has Supercharger installed and is the WEC - so not my Linux box, want to get this working first before getting back the Linux box.


That is great that the sourcetype is correct, and if some of the other dashboards are populated, that indicates that the data is in a correct index.

Group policy dashboard is also checking if the event is from a domain controller. If it is not, then it would not be present on the dashboard.

The list of the domain controllers is being updated with the "update_domain_controllers_4932_4768" saved search in a lookup file called "domain_controllers.csv". The group policy dashboard is using that lookup file to decide whether a sending device is a domain controller.

Please check if that lookup file is being populated and if your server sending the  group policy event in the results by running this search :

| inputlookup domain_controllers.csv

Please not that the search starts with the vertical bar character.






i

kdp - 8/18/2017
imrago - 8/18/2017
>I don't see the details that Randy was demonstrating in his webinar for Splunk such as table details e.g. Groups with membership changes and most active members.

That should be visible in this dashboard :

Active Directory Changes -> Groups

  is that dashboard populated?


It's only partly populated, don't see Account names just that I removed or added a group.

Which part of the Groups dashboard are you referring? The Membership Changes table?
GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search