Deploying the Universal Forwarder & Establishing a Secure Connection
Intoduction
Day 4 focused on using the Splunk Universal Forwarder to increase endpoint visibility. I set up the forwarder to safely send log data back to the Splunk indexer, guaranteeing dependable data flow and encrypted communication. By converting endpoints into active data sources, this step improved the lab's monitoring capabilities.
Deploying the Universal Forwarder involves installing the lightweight agent on the target system to collect and forward data securely to a Splunk instance. Establishing a secure connection requires configuring SSL/TLS certificates and ensuring proper authentication and encryption settings to protect data in transit.
Objective
The objective is to install and configure the Splunk Universal Forwarder on a Windows server to securely collect and forward local data to a Splunk Cloud instance, ensuring data integrity and secure transmission.
Why a Universal Forwarder?
A Universal Forwarder is used because it is a lightweight agent explicitly designed for collecting and forwarding data from remote systems to a Splunk instance. It offers efficient data collection, minimal resource usage, and secure transmission capabilities, making it ideal for deploying across multiple systems to centralize data in Splunk.
From Centralized to Distributed Data Collection
The Problem: Your Cloud SIEM is powerful, but it can't see inside your remote machines.
The Solution: The Universal Forwarder (UF). It's a lightweight, dedicated agent installed on a data source (e.g., a web server, domain controller) whose sole job is to:
Collect data from logs, registers, APIs.
You can safely forward that data to your central Splunk indexer (Cloud).
Installation of the Credential File
Download & Install the UF
Planting the Agent
Download
From your Splunk Cloud dashboard, go to Settings > Forwarding and Receiving.
You can find the link to download the Universal Forwarder for Windows.
Install
Run the installer as Administrator.
The installation wizard is straightforward. Accept the license and choose the installation directory (default is fine).
Crucial Step:
During installation, you must provide the Cloud Instance URL and the Port
** CLI Configuration & Authentication**
The Secure Handshake (The Correct Commands)
Open Admin PowerShell
Navigate to the UF's bin directory:
cd "C:\Program Files\SplunkUniversalForwarder\bin"
Authenticate the Forwarder
This command provides the username and password (generated in Splunk Cloud on Day 3) to establish a trusted connection.
Restart and Verify Service Status
Activating the Agent
Restart the Forwarder: To apply all new configurations.
.\splunk exe restart
Check Status: Confirm the service is running and see basic info.
.\splunk.exe status
Check the status
Expected Output: It is indicated that the system is running
Local Log Verification: Checking the Agent's Own Logs
Success Goal: Find the UF's own operational log to troubleshoot any issues.
Location: C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
How to Check:
Open the file with a text editor or use PowerShell: Get-Content "C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log" -Tail 20
What to Look For: Search for "Connected to peer" or "Trying to connect" messages. This indicates a successful connection to your cloud instance.
Cloud Verification
Confirming Data is Flowing to HQ
You can log in to your Splunk Cloud instance.
Run This Search: index=* | stats count by host
This search looks across all data and counts how many events come from each host.
Success! The Windows server's hostname shows up (e.g., WIN-DC01) in the results list. This is definitive proof that the secure connection is active and data is flowing from your machine to the cloud.
Source: Active Directory
I changed the host search because I installed the universal forwarder agent on the Domain controller Windows server, which is why the system can capture logs from Active Directory.
Success & Reflection
The Hybrid Architecture is Complete
Goals Achieved:
Downloaded and installed the Universal Forwarder.
Used CLI commands to configure a secure connection to Splunk Cloud.
Verified the UF service is running locally via splunkd.log.
Confirmed in Splunk Cloud that data is being received from the new host.
Day 4 was about operational execution. Moving from a simple uploaded file to a continuous, automated data stream. Mastering the Universal Forwarder's CLI is a core SOC and DFIR skill.
Top comments (0)