Integrating ER2 with Splunk



Splunk Enterprise is a fully featured platform for collecting, searching, monitoring and analysing machine data.

It can gather text-based log data and add it to a searchable index through which we can extract meaningful data.

There are a few ways to integrate Enterprise Recon with Splunk.

In this article we are going to describe most common solutions.


Exporting ER2 syslogs using er2-dsclient (SIEM) and setting Splunk to monitor udp

Login to your Enterprise Recon Master Server Terminal console as 'root'
Enter the command: er2-dsclient
Enter the command: set log/remote/<IP ADDRESS OF REMOTE LOG SERVER> 1
(eg. set log/remote/ 1)

We can check if the forwarding has been configured correctly with: index log/remote

The output should be similar to the below:


You can find more information on exporting logs in knowledge base article:


Receiving can be enabled in Splunk via Splunk Web, the CLI, or the inputs.conf configuration file.

Using Splunk Web to set up a receiver

Log into the receiver as admin or an administrative equivalent.
Click Settings > Data inputs


Select UDP New to add new listening item and specify the port number you want the receiver to listen and select Source type


The default port used by er2-dsclient is 514 and Source type is syslog


Setup Splunk receiver using CLI:

In Windows, go to C:\Program Files\Splunk\bin   

enter: splunk add udp 514

In Linux OS, go to $SPLUNK_HOME/bin     

enter: ./splunk add udp 514


Setup Splunk receiver by editing inputs.conf:

Open inputs.conf

Windows location: C:\Program Files\Splunk\etc\system\local\inputs.conf

Linux OS location: $SPLUNK_HOME/etc/system/local/inputs.conf

Edit inputs.conf and insert the following lines:

index = main
sourcetype = syslog
connection_host = dns
disabled = 0


Searching imported syslog data

To search for received data we need to specify some of the parameters like source, sourcetype, host... e.g. source = udp:514

We can combine different parameters to specify our search


More info on Splunk search syntax:


Forwarding data to Splunk using Universal Forwarder

Universal Forwarder provides secure data collection from remote sources and forwards that data into Splunk for indexing and consolidation.

Universal Forwarder is available as a separate package for the following OS: Windows, Linux, Solaris, Mac OS, FreeBSD, AIX.

There are two types of output processors for forwarding data: tcpout and syslog.
The universal forwarder only has the tcpout processor.


Installing Universal Forwarder

We can install the Universal Forwarder rpm package on ER2's host OS, CentOS 6.

Install UF: rpm -i splunkforwarder-<…>-linux-2.6-x86_64.rpm

The general syntax for a CLI command is: ./splunk <command> [<object>] [[-<parameter>] <value>]...

To enable UF to start at boot: /opt/splunkforwarder/bin/splunk enable boot-start

Start UF: /opt/splunkforwarder/splunk start

To successfully configure Universal Forwarder we must configure inputs and outputs.


Configuring Universal Forwarder using CLI

The general syntax for a CLI command is: ./splunk <command> [<object>] [[-<parameter>] <value>]...

Navigate to location: /opt/splunkforwarder/bin/

Run the CLI command to configure input: ./splunk add monitor /var/lib/er2/

Run the CLI command to configure output: ./splunk add forward-server hostname:9997

Some configuration changes might require that you restart the forwarder: ./splunk restart


Configuring Universal Forwarder by editing configuration files

outputs.conf controls how the forwarder sends data to an indexer.

Navigate to: $SPLUNK_HOME/etc/system/local

Edit file: vi outputs.conf

Insert in file:




inputs.conf controls what data the forwarder collects

Navigate to: $SPLUNK_HOME/etc/apps/search/local

Edit file: vi outputs.conf

Insert in file:
disabled = false
index = main
sourcetype = %ER2%



Configure Splunk to receive data from Universal Forwarder

Configure using Splunk Web

Log into the receiver as admin or an administrative equivalent


Select Settings > Add Data > Monitor > TCP/UDP > Specify the TCP port > Next > Select Source type e.g. syslog, csv, mysqld... > Review > Submit


Splunk software starts listening for incoming data on the port you specified.


Configure receiving using CLI

In Windows, go to C:\Program Files\Splunk\bin   

In Linux OS, go to $SPLUNK_HOME/bin     

example command: ./splunk add tcp 9997 -index newindex1 -sourcetype syslog


Configure receiving by editing inputs.conf file

Windows: C:\Program Files\Splunk\etc\apps\search\local\outputs.conf

Linux: $SPLUNK_HOME/etc/apps/search/local/outputs.conf

Insert in file:

connection_host = dns
index = newindex1
sourcetype = syslog


Various type of data can be forwarded to Splunk.

In below image the forwarder is monitoring output folder for reports generated using: 

er2-dsreport -format-csv -list-isolated -o /home/temp/report.csv -save-group group1




Firewall needs to be configured to allow inbound connection for used TCP and UDP ports.

If forwarded data is not reaching destination, you can use tool like Wireshark to check if the packets are being sent.
Wireshark detects traffic before it reaches firewall. 

Example of packets detected using er2-dsclient (syslog) and TCP protocol:





1 out of 1 found this helpful



Please sign in to leave a comment.