Install the Splunk Universal Log Forwarder

To set up the Splunk Universal Log Forwarder, download the version for your operating system from https://www.splunk.com/en_us/download/universal-forwarder.html, then follow the steps below.

Note: If you don't already have an account, you need to create a free Splunk account to download the Universal Forwarder installation package(s).

    1. Open the Windows Splunk installation package (e.g. splunkforwarder-8.2.2.1-ae6821b7c64b-x64-release.msi).

    2. Accept the License Agreement.

    3. Choose Splunk Enterprise (on-premises) or Splunk Cloud.

    4. Click Customize Options.

    5. Choose the file path to install the Universal Forwarder to.

    6. Click Next.

    7. (Optional) Enter the SSL certificate, certificate password, and SSL root CA.

    8. Click Next.

    9. Choose the Splunk Account type that the installation will create.

    10. Click Next.

    11. Select all the checkboxes under Windows Event Logs, Performance Monitor, and Active Directory Monitoring to ensure that all logs will be monitored.

      Tip: To monitor DHCP logs, enter C:\Windows\System32\DHCP in the Path to monitor box.

    12. Click Next.

    13. Enter a Username and Password for the new Splunk account.

    14. Click Next.

    15. (Optional) Under Deployment Server, enter your deployment server IP and port.

    16. Click Next.

    17. Under Receiving Indexer, enter the receiving indexer IP and port.

    18. Click Next.

    19. Click Finish.

    1. Install the Linux installation package based on your distribution.

    2. Refer to the Splunk Admin Manual to begin forwarding logs to your Splunk server.

    Example installation:

    1. Open CentOS.

    2. Install the downloaded Universal Forwarder package. Enter the following command:

      > rpm -Uvh /[PATH_TO_FILE]/splunkforwarder-[VERSION_NUMBER].rpm

    3. Add the forwarding server. Enter the following command:

      /opt/splunkforwarder/bin/splunk add forward-server X.X.X.X:9997

      Note: If this is the first time you are running a command using the Splunk client, you must accept the user agreement and a create a Splunk username and password. This user account will be used for Splunk management.

    4. Install the audit service. If the audit service came pre-installed with your distribution, skip this step.

      1. Run the following commands in the listed order:

        > sudo yum install audit

        > sudo auditctl restart

        > /opt/splunkforwarder/bin/splunk add monitor /var/log/audit/audit.log

        > /opt/splunkforwarder/bin/splunk add monitor /var/log/messages

        > /opt/splunkforwarder/bin/splunk add monitor /var/log

Note: To ensure the proper host is attributed in the Splunk query, Tenable Nessus Network Monitor maintains a name-to-IP address cache. This cache is directed from Splunk queries or Tenable Nessus Network Monitor's passively-collected data. In some cases, the log forwarder may have a misconfigured name, and therefore the Splunk IP to Name mapping may be inaccurate. To correct this issue, review the serverName setting in the $SPLUNK_HOME/etc/system/local/server.conf. This name must match the name returned in the query index=_internal sourcetype=splunkd group=tcpin_connections | stats latest(sourceIp) by hostname. If the names do not match, the Splunk IP to Name mapping will be incorrect and the SIEM Pull Service will not provide data to Tenable Nessus Network Monitor.

Example:

cat /opt/splunkforwarder/etc/system/local/server.conf

[general]

serverName = dhcpc7

Once installed, the Universal Log Forwarder sends the logs to Splunk that Tenable Nessus Network Monitor needs to query and list events.

Tenable Nessus Network Monitor uses the following Splunk query to generate events (using DHCP as an example):

source="/var/log/messages" *dhcpd*dhcp*

This query generates an output of all DHCP events. For example:

[DHCP_HOST] dhcpd: DHCPACK on 127.0.0.1 to 00:11:aa:bb:22:ff (QUERYING_HOST) via ens192

For more information on the Splunk Universal Log Forwarder, see the following topics: