Splunk Universal Forwarder

Owned by Makala Hieshima
Last updated: Oct 25, 2017
2 min read

Overview

Splunk Universal Forwarder, installed simply as Universal Forwarder, provides reliable, secure data collection from remote sources and forwards that data into Splunk software for indexing and consolidation.  The self-service install available in Carleton's K1000 installs the Universal Forwarder and is preconfigured to collect only a few key channels of information for ITS's security team to monitor for major security breaches.

System Requirements

Windows 10 64-bit

Licensing Information

Splunk Universal Forwarder is freely available from Splunk's website.

Installation Instructions

College Owned Equipment

Installing Software from the KBOX

Windows package name: Windows: Splunk Universal Forwarder 6.6.3 (2017.10.17)

Frequently Asked Questions

Q: What is Splunk?

A: Splunk is a service that allows us to pool information from user computers, servers, services, and network appliances in a central spot, to aid us in performing various kinds of audits and analyses, primarily security-related.  It will give us some early indications of account and machine compromise.
Q: What *exactly* are you logging?
A: We are logging Windows Security Log event codes 106, 500, 517, 567, 601, 602, 1102, 2004, 4657, 4697, 4698, 7045 plus one system log code, 104.  These codes reflect actions attackers typically take, things like adding new services or firewall rules, wiping out restore points, and clearing event logs (to cover their tracks).  Just a dozen or so codes and associated text, plus some associated PowerShell logging.  That's it.
Q: Why log?  Isn't antivirus software enough?
A: To a large extent old-style antivirus software, and so-called signature and single-machine behavioral analysis, is obsolete.  To detect compromise, we need to pool data across a variety of sources in one place.  And we need logging, both to perform forensics when our defenses fail (as they inevitably will from time to time), and to put historical data where the malware can't get at it and erase it.

Who To Call

Contact Desktop Systems if you find issues with the installer in the K1000.