dpkg -i splunkforwarder.debYou can download the SplunkForwarder DEB file from the Splunk website after logging in.
cd /opt/splunkforwarder/bin; ./splunk enable boot-start
ssh TARGET -R 127.0.0.1:9997:127.0.0.1:9997from the Splunk server out to your cloud-based server, then you can set the indexer IP to
./splunk list forward-serverwhich will show the forwarder as inactive. Type
./splunk startto activate it and
./splunk list forward-serveragain to ensure that the forwarder is now indeed active.
./splunk add monitor /var/log/auth.log -index ssh -sourcetype %APP%Cobalt Strike Logs:
./splunk add monitor /root/cobaltstrike/logs/.../weblog.log -index cobalt -sourcetype weblog
./splunk add monitor /root/cobaltstrike/logs/.../beacon_*.log -index cobalt -sourcetype beacon_log
index=cobalt sourcetype=weblog | stats values(request) as request values(status_code) as status_code by ip