How do I forward to a vm and forward it out again?

wuming79 · ‎07-22-2017

Hi,

how does one forward something like sysmon from 1 vm (guest1) to another vm (guest2) and then out to another pc (outside network)?

Do I install universal forwarder and sysmon on Guest 1, and use deployment server to send out to another PC outside network?

wuming79 · ‎07-24-2017

Is a vmware host-only guest able to forward out data to host??

wuming79 · ‎07-23-2017

I made a mistake installing sysmon on both my guest machines and forwarding sysmon log from guest 1 (Host-only) to guest2 (Host-only and natNetwork) and intermediately forward out to another host. I thought I was looking at the sysmon log from guest 1 but realized I'm not.

How should I set up the input.conf and output.conf on guest2??

adonio · ‎07-23-2017

not sure how Deployment Server comes to play here.
Deployment Server controls the forwarders (and other splunk instances if desired) configurations
i think the only thing you need is to verify there is a connection between all 3 machines guest1, guest2, and PC.
have a forwarder collect sysmon and forward it to guest2, have guest2 listen to TCP inputs and forward out using TCP to PC.
have the PC listen to traffic from guest2 on the desired port and you are all set
hope i understand the question and i am not missing something here.

wuming79 · ‎07-23-2017

Hi, thanks adonio, I realized I only need to setup forwarder twice on both guest machines. No need for deployment server.

How do I forward to a vm and forward it out again?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life