Solved: Not receiving Linux logs

j666gak · ‎12-08-2011

Hello,

I am setting up a test rig, and not receiving any logs from another Linux box (please see rig details below).

Splunk Server - Fedora 15 (Latest version of Splunk)
Security Onion - Xubuntu (Universal Forwarder installed - not reporting)
Windows Desktop - XP Pro installed (Universal Forwarder installed and reporting)

I have installed the universal forwarder on the security onion machine but only gave the option to set the management port, not sure if anything else needs setting up. I am new to Linux so I am sorry if this is a newbie question.

Many Thanks
Guy

dmaislin_splunk · ‎12-08-2011

I made the assumption that he already had added something to the inputs.conf file on the forwarder. If not, simply download the *Nix App to the Splunk Server, configure everything and save it.

Now, on the Splunk server, go the $SPLUNK_HOME/etc/apps
From there, run: tar -czvf unix.tgz unix

Copy this file over to the forwarder and place into the $SPLUNKHOME/etc/apps directory.
From there run: tar -zxvf ./unix.tgz
Then restart the forwarder with $SPLUNK_HOME/bin/splunk restart

All would be easier with a deployment server configured, but that's another thread.

View solution in original post

tonopahtaos · ‎04-26-2012

This is very helpful.

dmaislin_splunk · ‎12-08-2011

Password on the forwarders was never changed. It is most likely:

admin
changeme

tonopahtaos · ‎04-26-2012

The password for admin is always ‘changeme’ regardless the real password in indexer is. This means people can easily do an attack against a real splunk indexer with lots of junk data. Of course, such person needs a machine access insider such company.

j666gak · ‎12-08-2011

Hi dmaislin_splunk,

Thank you for all of your help. When trying to run the command below I have replaced the "YOURSPLUNKSERVER" with the IP address of the Splunk server.

splunk add forward-server YOURSPLUNKSERVER:9997

However when runing the command I get either an error for permission, which there is no su password set on the security onion images. I then tried running the SUDO command and then get prompted to enter a Splunk username which I enter the admin username and password used on the web frontend which failed and then tried credentials for the account logged on to the Fedora machine which failed. Not sure which other credentials I can try?

Thanks again

dmaislin_splunk · ‎12-08-2011

I made the assumption that he already had added something to the inputs.conf file on the forwarder. If not, simply download the *Nix App to the Splunk Server, configure everything and save it.

Now, on the Splunk server, go the $SPLUNK_HOME/etc/apps
From there, run: tar -czvf unix.tgz unix

Copy this file over to the forwarder and place into the $SPLUNKHOME/etc/apps directory.
From there run: tar -zxvf ./unix.tgz
Then restart the forwarder with $SPLUNK_HOME/bin/splunk restart

All would be easier with a deployment server configured, but that's another thread.

dmaislin_splunk · ‎12-08-2011

Go to the forwarder and cd to $SPLUNK_HOME/bin

Run this command: . ./setSplunkENV

That sets up the environment and puts Splunk in your path.

Next, run this command: splunk add forward-server YOURSPLUNKSERVER:9997

Restart Splunk with this command: splunk restart

On the Splunk server login to the UI and go to manager/forwarding and receiving/configure receiving
Add a new receiver and Listen on port 9997

Hopefully that should cover it.

Ayn · ‎12-08-2011

What about configuring inputs?

Not receiving Linux logs

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2