Tuesday, July 6, 2010

Allow Splunk to retrieve logs from Server 2008

Issue: Allow the Splunk service through the firewall on Server 2008

Solution:
  1. Click Start - type firewall
  2. don't select the first one "windows firewall with advanced security"
  3. select the second one in the list "windows firewall"
  4. click change settings
  5. click the exceptions tab
  6. Check the box next to "Remote Event Log Management" (appears to allow port 135/tcp)
  7. Done, now Splunk can remotely access the box (with the right privileges) and index the event logs