Download Splunk For Kali Linux
Leslee Galyan
Hi, I am struggling to configure Splunk forwarder to get data into splunk. I am trying to get the data ( auth.log ) sent across from a Kali linux operating system. When I configured it in kali used the below syntax ( Ip address is my KALI ip address when I ifconfig. I followed a guide online where it said to put port 11000.
Essentially - I am playing around with a few VM's Ubunto, Windows 10, Kali Linux and trying to get the data from those VM's to splunk enterprise and play around with setting up some alerts and generate some reports.
Hi GcuselloThanks for your help. I installed Splunk and universal forwarder in Kali Linux.. Then I used the below command to set up the forwarder and set up the forwarder to the below IP address and port.
The IP address is the one in my Kali Linux system when I go ifconfig....
./splunk add forward-server 192.168.253.130:9997 -auth Tonyrakus:WhistlXXXX?
I go into Splunk enterprize. Settings - forwarder management.... and the following screen comes up below -
if you see a server in Forwarder management it seems only that you runned the command to configure the deployment server ( "set deploy-poll IP_address/hostname lt;management_port"), not to configure the Indexer (./splunk add forward-server 192.168.253.130:9997 -auth Tonyrakus:WhistlXXXX).
I tried to then set up the forwarder to forward traffic from Kali linux to go into splunk enterprize.... but for some reason it is showing in Splunk enterprize that a forwarder is set up from from IP 192.168.253.1 ... which I think is another VM.. ( on my main OS - windows I went into command prompt and did ipconfig.. and results are in the screen shot below).
Last question for tonight I promise - If I now want to upload log files from Kali to splunk enterprize.... the best way of doing that is how? clicking on one of the boxes in the screen shot and going from there?
In the splunk training I did it only showed how to upload data by uploading files of logs..... I guess I could send some log files from Kali to a file and then upload... but is there another real time way so I can keep the log files uploading continuously. ?
Navigate to the /opt directory with the command cd /opt. Then extract the Splunk executable with the tar command. This will include the path to and complete name of the file you just downloaded. In my example, this looks like this: tar -zxf /tmp/splunk-7.0.0-c8a78efdd40f-Linux-x86_64.tgz
By running /opt/splunk/bin you should be able to access the Splunk Home folder. If you have any script files you will need to run them in /5 on your computer.The /splunk package name will be used.Whenever the app asks for permission or where the program was installed, this is always referred to as /opt/splunk.
b) Get the package name and delete the older release. And yes, that is a \ before the * as you have to escape it. In this example, splunkforwarder-8.1.6 is being removed.
> pkg info -g splunkforwarder\*
> pkg delete -y splunkforwarder-8.1.6
> rm /etc/rc.d/splunk
> rm -R /opt/splunkforwarder
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand...@splunk.com if you require assistance.
In my opininon, the files /var/log/messages, /var/log/secure and /var/log/audit/audit.log are worth to collect. As we installed Splunk as splunk user, which is a non-root user, we have to perform some changes in order to be able to read these log files.
Unfortunately, the rlog.sh script, which is responsible for reading the /var/log/audit/audit.log file, is not working for me. Therefore, I changed the rlog.sh under /opt/splunk/etc/apps/Splunk_TA_nix/bin/ to the following:
760c119bf3