Summary

Installing Splunk Universal Forwarder

• wget the Splunk Universal Forwarder for Linux .deb file
  • This did not work during testing, but you can download it to your mgmt01 box and scp it to the hosts
• Use dpkg to install splunkforwarder

Configure Splunk Universal Forwarder

• cd to /opt/splunkforwarder/bin
• Run splunk
  • ./splunk start --accept-license
• Configure splunk to forward to the splunk instance
  • ./splunk add forward-server 10.0.5.10:9997
• Configure splunk to connect to the deployment server
  • ./splunk set deploy-poll 10.0.5.10:8089
• Configure monitoring
  • Monitor /config
    • ./splunk add monitor /config
  • Monitor /etc/passwd
    • ./splunk add monitor /etc/passwd

Creating Dashboards

• Extract the firewall name (LAN-to-MGMT, etc)

Create firewall blocks dashboard

• Search for index="firewall-drops"
• Create a pivot table including the firewall_name, DST, and SRC fields.
• Add it to an Overview dashboard

Create Commit tracker

• Search for sourcetype="commits-too_small"
• Create a pivot table
• Create a line visualization with multiple lines based on the host field
• Add it to the Overview dashboard