DEV Community

Cover image for How To Install & Manage Splunk Universal Forwarder in AWS Ec2
Surya Shankar
Surya Shankar

Posted on

How To Install & Manage Splunk Universal Forwarder in AWS Ec2

What is Splunk?

Splunk is an application that is designed to search and analyze data gathered from the machine, devices, and well anything that sends data in your infrastructure.

Splunk Cloud vs Splunk Enterprise ?

The big difference here is that Splunk Enterprise is hosted on your company's infrastructure, or your personal machine if you are using it on your machine. Splunk Cloud is the same software however it is hosted in Splunk's Cloud and all this hardware is maintained by Splunk. Splunk Cloud reduces the time it takes to get to production as well as decreases the cost of your SIEM.

Universal Forwarder ?

Universal Forwarders allow your machine to stream data to the receiver which is an index in Splunk Cloud. These forwarders allow use to monitor traffic in real time.

Splunk Installation Lab

Create two instance on AWS ec2 as shown below

Image description

Image description
Image description

Install Splunk in both of them . In order to do that go to Splunk Enterprise website and download the splunk for linux.

Image description

Image description

Now install the splunk using command



sudo yum install ./splunk <Splunk file name>


Enter fullscreen mode Exit fullscreen mode

Image description

Move to bin folder



cd /opt/splunk/bin


Enter fullscreen mode Exit fullscreen mode

Image description

Create a license and start the splunk



./splunk start --accept-license --answer-yes


Enter fullscreen mode Exit fullscreen mode

Image description

Add port 8000 in the security group

Image description

Now your splunk is read to run

Image description

Put publicip:8000 in browser and login

Image description

NOTE

Follow this above steps to install the splunk in both the server....

Now Clearly you can see there is no host present...

Image description

so inorder to connect host we need universal forwarder...

Universal Forwarder Installation

Go to splunk platform --> products --> Free trails and downloads

Image description

Download the universal forwarder

Image description

Image description

Install that forwarder using command :



sudo yum install ./<splunk forwarder name>


Enter fullscreen mode Exit fullscreen mode

Image description

Now change path to bin folder and start the splunk

Image description

It will ask for a port number , put any port [ Here I put 9089 ]

Image description

Now add the forward server to the splunk, Here I have put the public ip of splunk server



./splunk add forward-server <publicip-splunk server>:9997


Enter fullscreen mode Exit fullscreen mode

Image description

Restart the splunk

Image description

Now Put the log path :



./splunk add monitor /var/log


Enter fullscreen mode Exit fullscreen mode

Image description

Restart the splunk again

Image description

Now go to bin path and enable 9997 port listen

Image description

Restart the Splunk and you can see that the client is added to the forwarder.

Image description

Inorder to add the another server client .. Follow the same process above
But in place of port input , Put a different port as shown below
9088

Image description

Add forward server ip as splunk server public ip

Image description

After that you can see two ip in the host ...
One host is splunk server and another was universal forwarder

Image description

Click on the host name and you can see the logs file here

Image description
Image description

Now create a test folder inside /opt/splunk/etc/deployment-apps ,
it will reflect in forwarder management apps

Image description

Image description

Now try to deploy a client using below commnads and restart the splunk



./splunk set deploy-poll <splunk server ip>:8089


Enter fullscreen mode Exit fullscreen mode

Image description

Image description

You can see the client here

Image description

You can also create a server class and deploy that test app here

Image description
Image description

Add a client ip or hostname where you want to deploy

Image description
Image description
Image description

Top comments (0)