Hi,
From few days I'm trying to to get the job done but I'm getting little confused. As we got 3 components for this to work out - Forcepoint SMC, Splunk and Splunk Forwarder. The environment which I'm installing it on is CentOS 7 hosted on a VMware esxi. As far as I understood the data should be sent from the Forcepoint to the Splunk Forwarder and then to the Splunk server right? How exactly does the Splunk Forwarder work and what should be it's connecting point with both the Forcepoint and Splunk. Should I be using docker or can i get it working without it. Let me get it clear to where I'm so far.
- Created splunk user and group which has full permission to the /opt/* folders (I'm little confused who should be running the processes). Whitelisted the ports.
- Configured Forcepoint to send data to SplunkServerIP:9997 (probably data should be sent to the Splunk Forwarder which I think this is the main problem)
- Installed the Splunk and Forcepoint app (got it shown in the apps in the web server at SplunkServerIP:8000)
- Got Splunk server running and listening on port 9997, which is set on the web server as receiving. Let everything else default(management port and stuff)
- Downloaded and installed the Universal Forwarder(no docker used), changed the management port from 8089 to 8090(because of an conflict with the Splunk Server management port). Added forward server to SplunkServerIP:9997 and monitor to - /var/log/ with sourcetype linux_secure.
So far as I checked the data received from the Splunk Server i can see errors that the data chunks are too large.
Thanks in advance I'm just getting introduced to linux and firewalls and sorry for any spelling mistakes. Any help would be appreciated even if its for logical understanding how these should work!
No comments:
Post a Comment