Splunk universal forwarder - Installation completed dialog box Query the Splunk main index for events forwarded from Data Protection Advisorįrom the Splunk web UI, Select the option “Search & Reporting” as shown in Figure 65. The universal forwarder automatically starts.įigure 64. The installer runs and displays the Installation Completed dialog box as shown in Figure 64. Splunk universal forwarder installation – Begin installation wizard Splunk universal forwarder installation – Receiving indexer configurationĬlick Install to proceed with the installation as shown in Figure 63. In the Receiving Indexer pane, enter a hostname or IP address and the receiving port as shown in Figure 62 for the receiving indexer that you want the universal forwarder to send data to and click Next.įigure 62. Splunk universal forwarder installation – Deployment server details In the Deployment Server page, select Next as shown in Figure 61. Splunk universal forwarder installation – administrator account credentials Splunk universal forwarder installation – Selecting Windows event application logsĪs shown in Figure 60, enter the credentials for the administrator account.įigure 60. ![]() Splunk universal forwarder installation as Local Systemįrom the “Windows Event Logs”, select “Application Logs” as shown in Figure 59. Splunk universal forwarder installation – SSL certificateĪs shown in Figure 58, run the Universal Forwarder as the “Local System” user and click Next.įigure 58. On the Certificate Information page, click “Next” as a best practice as shown in Figure 57. Splunk universal forwarder – installation directory Splunk universal forwarder installation - License agreementĪs shown in Figure 56, click “Next” after verifying the installation directory.įigure 56. Click “Customize Options” as shown in Figure 55. On the Data Protection Advisor application server, execute the MSI file to start the installation.Ĭheck the box to accept the “License Agreement” and choose the option “An on-premises Splunk Enterprise instance”. ![]() Successful receiving port configuration Install the Splunk universal forwarder on Data Protection Advisorĭownload the Splunk universal forwarder from and copy it to the Data Protection Advisor application server. Section to input the receiver portįigure 54 shows successful receiving port configuration from the Splunk UI.įigure 54. The conventional receiver port configured on indexers is port 9997.įigure 53. Forwarding and receiving configurationĮnter the port as “9997” in the “Listen on this port” section as shown in Figure 53. Forwarding and Receiving option in settingsĪs shown in Figure 52, in the “Receive data” section, click “Add new” next to the “Configure receiving” option.įigure 52. To enable the receiver, from the Splunk web UI, navigate to “Settings” and select “Forwarding and Receiving” as shown in Figure 51. Section to apply analysis policy to groups, objects, and child objects Configure a receiving port from the Splunk Web UIĪ receiver is the Splunk instance that receives data from the forwarder. In this example as shown in Figure 50, the analysis policy is applied to object “PowerProtect Data Manager Software”įigure 50. If enabled simultaneously, you may be flooded with alerts.Īpply the analysis policy to groups, objects, and child objects respectively. Note : When creating an analysis policy, it is recommended to start with one rule and build the policy. Policy-based action configuration in an analysis policy Sample analysis policy for Cyber threat anomaly detectionįigure 49. Add/remove analysis rule configurationĪs an example, a sample analysis policy “Cyber Threat Anomaly Detection” is created with analysis rules and policy-based action as shown in Figure 48 and Figure 49. In the Analysis Rules, select “ADD/REMOVE RULES” to add the analysis rules as shown in Figure 47. In the policy-based actions, select “EDIT POLICY-BASED ACTIONS” and enable the event log action “Write an event to the Windows Event Log” as shown in Figure 46. Creating analysis policy in Data Protection Advisor UI
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |