This is a splunk universal forwarder service used to forward Forcepoint logs into a splunk indexer
You need to download splunk universalforwarder linux version into the deploy directory first splunkforwarder-*.tgz can be found in splunk website this was tested based on splunkforwarder-8.0.5-a1a6394cc5ae-Linux-x86_64.tgz (can be found in bd-generic.eu-artifactory.cicd.cloud.fpdev.io)
./build/create-deployment.shsudo tar -zxvf fp-splunk-universal-forwarder-v1.tar.gz -C /opt/export FP_ENABLE_PA_FORWARD=trueexport FP_ENABLE_CSG_FORWARD=trueexport FP_ENABLE_NGFW_FORWARD=trueexport FP_ENABLE_CASB_FORWARD=trueexport FP_SOURCETYPE_NGFW_MONITOR_VALUE=<smc-forwarding-port>Setup the splunk receiving host and port by running the script below, this script will ask you to provide the ip address of the splunk indexer and the reciving port number
sudo chmod +x /opt/fp-splunk-universal-forwarder/deploy/setup-splunk-config.sh
/opt/fp-splunk-universal-forwarder/deploy/setup-splunk-config.shRun the setup script with one of the commands in the example below to install the program prerequisites and run it.
Note: when you start the forwarder for the first time, it prompts you to enter the splunk-universal forwarder username (admin) and to create an admin password.
/opt/fp-splunk-universal-forwarder/deploy/setup.shdocker build -t fp-splunk-universal-forwarder . docker run --detach \
--env "SPLUNK_START_ARGS=--accept-license" \
--env "SPLUNK_PASSWORD=<universal-forwarder-password-of-your-choice>" \
--env "SPLUNK_INDEXER_IP_ADDRESS=<splunk-indexer-ip-address>" \
--env "SPLUNK_INDEXER_RECEIVING_PORT=<splunk-indexer-receiving-port>" \
--env "FP_ENABLE_PA_FORWARD=true" \
--name fp-pa-splunk-universal-forwarder \
--restart unless-stopped \
--volume FpLogsVolume:/app/forcepoint-logs:ro \
fp-splunk-universal-forwarderdocker run --detach \
--env "SPLUNK_START_ARGS=--accept-license" \
--env "SPLUNK_PASSWORD=<universal-forwarder-password-of-your-choice>" \
--env "SPLUNK_INDEXER_IP_ADDRESS=<splunk-indexer-ip-address>" \
--env "SPLUNK_INDEXER_RECEIVING_PORT=<splunk-indexer-receiving-port>" \
--env "FP_ENABLE_CSG_FORWARD=true" \
--name fp-csg-splunk-universal-forwarder \
--restart unless-stopped \
--volume FpLogsVolume:/app/forcepoint-logs:ro \
docker.frcpnt.com/fp-splunk-universal-forwarderdocker run --detach \
--env "SPLUNK_START_ARGS=--accept-license" \
--env "SPLUNK_PASSWORD=<universal-forwarder-password-of-your-choice>" \
--env "SPLUNK_INDEXER_IP_ADDRESS=<splunk-indexer-ip-address>" \
--env "SPLUNK_INDEXER_RECEIVING_PORT=<splunk-indexer-receiving-port>" \
--env "FP_ENABLE_NGFW_FORWARD=true" \
--env "FP_SOURCETYPE_NGFW_MONITOR_VALUE=<smc-forwarding-port>" \
--name fp-ngfw-splunk-universal-forwarder \
--publish <smc-forwarding-port>:<smc-forwarding-port> \
--restart unless-stopped \
docker.frcpnt.com/fp-splunk-universal-forwarderdocker run --detach \
--env "SPLUNK_START_ARGS=--accept-license" \
--env "SPLUNK_PASSWORD=<universal-forwarder-password-of-your-choice>" \
--env "SPLUNK_INDEXER_IP_ADDRESS=<splunk-indexer-ip-address>" \
--env "SPLUNK_INDEXER_RECEIVING_PORT=<splunk-indexer-receiving-port>" \
--env "FP_ENABLE_CASB_FORWARD=true" \
--name fp-casb-splunk-universal-forwarder \
--restart unless-stopped \
--volume FpLogsVolume:/app/forcepoint-logs:ro \
docker.frcpnt.com/fp-splunk-universal-forwarderdocker run --detach \
--env "SPLUNK_START_ARGS=--accept-license" \
--env "SPLUNK_PASSWORD=<universal-forwarder-password-of-your-choice>" \
--env "SPLUNK_INDEXER_IP_ADDRESS=<splunk-indexer-ip-address>" \
--env "SPLUNK_INDEXER_RECEIVING_PORT=<splunk-indexer-receiving-port>" \
--env "FP_ENABLE_PA_FORWARD=true" \
--env "FP_ENABLE_CSG_FORWARD=true" \
--env "FP_ENABLE_CASB_FORWARD=true" \
--env "FP_ENABLE_NGFW_FORWARD=true" \
--env "FP_SOURCETYPE_NGFW_MONITOR_VALUE=<smc-forwarding-port>" \
--name fp-products-splunk-universal-forwarder \
--publish <smc-forwarding-port>:<smc-forwarding-port> \
--restart unless-stopped \
--volume FpLogsVolume:/app/forcepoint-logs:ro \
docker.frcpnt.com/fp-splunk-universal-forwarder