DIY Splunk: Live log forwarder demo

A log pipeline is the plumbing behind a security dashboard: one machine writes events to a file, another machine collects them, and a search engine turns that stream into something you can query in seconds. Splunk’s Universal Forwarder is the lightweight shipping agent in that chain, built to watch data on one host and send it to a receiving Splunk server. (help.splunk.com) The basic split is simple: `inputs.conf` tells the forwarder what to watch, and `outputs.conf` tells it where to send the data. Splunk’s own docs spell that out because a forwarder with only one of those files is like a mail truck with either no pickup list or no destination address. (help.splunk.com) On the receiving side, the Ubuntu box has to open a listener before anything arrives. Splunk Enterprise calls that a receiver, and its documentation says the common port for this traffic is `9997` using `splunktcp`. (help.splunk.com) On the sending side, the Kali Linux host needs a file monitor so the forwarder can tail a log as new lines are appended. Splunk supports that with `inputs.conf`, which is designed to monitor files and directories in near real time instead of waiting for a manual import. (help.splunk.com) That is why this kind of demo is useful in a lab: Kali generates security-relevant activity, Ubuntu runs the search server, and the forwarder bridges the two with a steady stream instead of a one-time file copy. In practice, that lets you test detections against live command history, web logs, or authentication events the moment they hit disk. (help.splunk.com; help.splunk.com) The most common failure in a setup like this is boring but absolute: the receiver port on the Splunk server and the destination port in the forwarder must match. Splunk’s troubleshooting guide says to check that the indexer is listening and that `outputs.conf` points to the same host and port, then restart the Universal Forwarder after changes. (help.splunk.com) A second gotcha is thinking `outputs.conf` alone is enough. Splunk’s forwarding docs explicitly warn that `outputs.conf` only controls where data goes, while the actual collection target still has to be defined separately as an input. (help.splunk.com) Once the pipe is working, verification is straightforward: Splunk recommends searching by the forwarder host name or source path over a recent time window to confirm events are landing. That turns the demo from “the service started” into proof that the Ubuntu server is really indexing lines produced on the Kali machine. (help.splunk.com) This is still a lab pattern, not a finished enterprise design. Splunk’s own docs on forwarding move quickly from single-host examples into load balancing, intermediate forwarders, and deployment tooling, which is the jump from a garage workbench to a warehouse conveyor belt. (help.splunk.com; help.splunk.com) The value of a hands-on walkthrough is that it compresses the whole idea of a security information and event management pipeline into one visible path: generate an event on Kali, ship it over the network, and watch it appear in Splunk on Ubuntu. If you can make that one path work end to end, you have the skeleton of a detection lab you can keep expanding. (help.splunk.com; help.splunk.com)