Pre-requisites:
Setup of Active directory with 3 servers that includes,
- Domain controller (DC-1)
- Indexer or Deployment server (Indexer)
- Universal forwarder (UF-1)
Make sure that all the servers are intact and are in contact with the domain controller with no issues.
Installing and configuring deployment server or indexer
step-1:
- Download the splunk software from here.
- Run the downloaded executable file, check the check this box to accept the license agreement and click next.
- Create the account credentials and follow the onscreen commands to install the splunk.
step-2:
- Proceed to download the splunk app for windows infrastructure.
- Create a new directory named local in the folder of splunk_app_windows_infrastructure.
- Create a new conf file indexes.conf with the following text in the local directory using notepad.
[msad]
homePath = $SPLUNK_DB/msad/db
coldPath = $SPLUNK_DB/msad/colddb
thawedPath = $SPLUNK_DB/msad/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
[perfmon]
homePath = $SPLUNK_DB/perfmon/db
coldPath = $SPLUNK_DB/perfmon/colddb
thawedPath = $SPLUNK_DB/perfmon/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
[wineventlog]
homePath = $SPLUNK_DB/wineventlog/db
coldPath = $SPLUNK_DB/wineventlog/colddb
thawedPath = $SPLUNK_DB/wineventlog/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
[windows]
homePath = $SPLUNK_DB/windows/db
coldPath = $SPLUNK_DB/windows/colddb
thawedPath = $SPLUNK_DB/windows/thaweddb
maxDataSize = 10000
maxHotBuckets = 10- Copy the entire folder splunk_app_windows_infrastructure to
C:\Program Files\Splunk\etc\appsdirectory. - Restart the splunk application through command line using the following command
cd\Program Files\Splunk\bin
.\splunk restartstep-3:
- Login back to the splunk enterprise from the browser (
localhost:8000/) on the deployment server. Settings > Forwarding and Receiving > Configure receiving > Add New > 9997 > save.
step-4 :
- In the browser of the deployment server create a new application in
Apps > Manage apps > Create App
| NAME | Send_to_indexer |
| FOLDER NAME | sendtoindexer |
| VERSION | 1.0.0 |
| VISIBLE | No |
| AUTHOR | –anything– |
| TEMPLATE | barebones |
- Click save.
- Create a conf file named outputs.conf with the following text in
C:\Program Files\Splunk\etc\apps\sendtoindexer\localdirectory of deployment server.
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<9997>
[tcpout-server://<indexer_hostname_or_ip_address>:<9997>]- Indexer hostname or the ip address of the deployment server need to be replaced in the above context as shown below.
- Move the sendtoindexer app from
C:\Program Files\Splunk\etc\appstoC:\Program Files\Splunk\etc\deployment apps. - Reload the deploy server using following commands,
cd\Program Files\Splunk\bin
.\splunk reload deploy-server- In the browser of the deployment server direct to
Settings > Forwarder Management > Apps. - Click
Edit > (+) Add new server class > Universal_Forwarder > Save.
Adding data of the local server
- In the Splunk Enterprise of the deployment server click
Splunk_enterprise > Add data > Monitor > Local event logs > Add all and click next > Name the desired host field value > review and submit. - In the
Apps > searching & reporting > data summary, the host is found and can be monitored from now.
Note: Make sure all the required ports are opened in all the three servers with no block of the windows firewall.
Akhil's Blog 