Logging Scenario - Send Local Logs to a Splunk Indexer
Scenario: you want to save gateway/relay logs to a Splunk Indexer. This guide presents a simple method to send all gateway/relay logs to a Splunk Indexer.
As with all gateway/relay logs, the logs stored on the gateway/relay will not include Admin UI activities, which can be accessed via the
sdm audit activities command.
Setting up the export
Enable relay logging in the Admin UI under Settings / Log Encryption & Storage. Ensure logging is set to FILE.
Configure your indexer to receive the date from the forwarder:
Create an index for strongDM, called "sdm_index" in this example:
Install the forwarder, then configure the monitor.wget -O splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=universalforwarder&filename=splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpm&wget=true'sudo rpm -ihv splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64.rpmexport PATH=$PATH:/opt/splunkforwarder/binsplunk start
You'll be asked to set the admin password on the first run of
splunk start.splunk list forward-serverActive forwards:ec2-34-210-43-66.us-west-2.compute.amazonaws.com:9997Configured but inactive forwards:Nonesplunk add monitor /home/ec2-user/.sdm/logs/ -index sdm_index -sourcetype sdmsplunk list monitor[...]/home/ec2-user/.sdm/logs/home/ec2-user/.sdm/logs/relay.1616439304.0.log/home/ec2-user/.sdm/logs/relay.1616439311.0.log/home/ec2-user/.sdm/logs/relay.1616595755.0.log/home/ec2-user/.sdm/logs/relay.1616604787.0.log/home/ec2-user/.sdm/logs/relay.1616652500.0.log[...]
You can search for "sdm_index" on the indexer's search: