dpkg -i splunkforwarder.deb
You can download the SplunkForwarder DEB file from the Splunk website after logging in.cd /opt/splunkforwarder/bin; ./splunk enable boot-start
ssh TARGET -R 127.0.0.1:9997:127.0.0.1:9997
from the Splunk server out to your cloud-based server, then you can set the indexer IP to 127.0.0.1:9997
../splunk list forward-server
which will show the forwarder as inactive. Type ./splunk start
to activate it and ./splunk list forward-server
again to ensure that the forwarder is now indeed active../splunk add monitor /var/log/auth.log -index ssh -sourcetype %APP%
Cobalt Strike Logs:
./splunk add monitor /root/cobaltstrike/logs/.../weblog.log -index cobalt -sourcetype weblog
./splunk add monitor /root/cobaltstrike/logs/.../beacon_*.log -index cobalt -sourcetype beacon_log
index=cobalt sourcetype=weblog | stats values(request) as request values(status_code) as status_code by ip
rex
: