Preparing Splunk Enterprise to Receive Data
Introduction
Configuring Splunk Enterprise to receive and process machine data was the primary focus of day five. To ensure logs could enter the environment without issues for indexing and analysis, I set up and verified data inputs. This work laid the groundwork for the data pipeline, enabling the onboarding of various log sources and opening the door for efficient monitoring and detection.
Objective
To configure the on-premise Splunk Enterprise instance to act as a receiver, enabling it to accept data from Universal Forwarders and other sources
The Concept: Data Onboarding
The front door of the SIEM opens.
Data onboarding: What is it?
Setting up Splunk to receive, process, and store data from a new source is straightforward.
The difficulty is that you currently have a passive Splunk Enterprise installation. Although it can search data that it already possesses, it is unable to listen for newly incoming data.
Enabling a receiving port, which serves as a specific "listening post" for data transmitted by forwarders, is the goal for today.
** "Why": Understanding Receiving Ports**
The Designated Landing Zone
Think of your Splunk server as a headquarters building. A receiving port is like a specific loading dock bay (e.g., Bay 9997) where delivery trucks (Universal Forwarders) are expected to arrive.
Why It's Necessary:
Network Communication: All network data travels through numbered ports.
Security: It instructs Splunk to accept data only on this specific, known port, thereby enhancing security.
Protocol: The Splunk Forwarding Protocol expects a designated port to communicate on.
Without this, forwarders have nowhere to send their data, and the connection will fail.
Accessing the Configuration
Navigating to the Right Settings
Log in to your local Splunk Enterprise instance (localhost:8000).
On Splunk Enterprise, Go to Settings
Navigate to Settings.
Click on Forwarding and Receiving.
Click on Configure Receiving under the Receive Data section.
Every time a log is transmitted from a device, it must first be delivered to a port, which is why the receiving port must be established.
Enabling the Receiving Port
Opening the Loading Dock Bay
Step 1: Click on New to create a new receiving port.
Step 2: Enter the Port Number.
The standard, default port for Splunk-to-Splunk communication is 9997.
Enter 9997 in the port field.
Step 3: Click Save.
Result: Splunk will now restart its necessary services. Once complete, it will be actively listening for incoming data connections on port 9997.
** Verification: Confirming the Port is Active**
Checking the Listening Post
How to Verify the Configuration Worked: Return to the Configure Receiving page.
You should now see port 9997 listed in the table of active receiving ports.
A result showing LISTENING confirms the port is active.
What This Enables
Ready for the Next Step
You have now configured the "Server" side of the equation. Your central Splunk Enterprise instance is ready to accept data.
What's Next? Now I can go to any other machine (e.g., a Windows 10 client, a Linux web server), install a Universal Forwarder, and point it to this Splunk server using the command:
.\splunk.exe add forward-server :9997
This creates the same architecture you built with Splunk Cloud, but now entirely within your own lab environment.
Day 5 Reflection: Building Infrastructure
Goal Achieved:
Successfully configured Splunk Enterprise to receive data on port 9997.
SOC work isn't just about analysis; it's also about infrastructure. Understanding how to configure core components like receiving ports is essential for building and maintaining a functional security platform.
Top comments (0)