Setup

Initial Configuration and Event Log Analysis

Use the steps below to quickly configure Secret Server and Splunk. To set up your external audit server to gather events that you can export from Secret Server:

Go to Admin > Configuration.
Click Edit at the bottom of the page.
Click the General tab.
Go to the Syslog/CEF Logging Advanced Settings Information section and select the Syslog/CEF Logging checkbox.
The Syslog/CEF Logging Advanced Settings Information window displays.
Enter the Splunk server’s IP address in the Syslog/CEF Server field.
Enter the Splunk server’s port in the Syslog/CEF Port field.
From the Syslog/CEF Protocol dropdown list, select TCP.
From the Syslog/CEF Site dropdown list, select Local.
Click Save.

Set Up Windows Heavy Forwarder

You need to set up Windows Heavy Forwarder to forward data to the Splunk Cloud. Click here to set up a heavy forwarder:

Install a Full Splunk Enterprise Instance.
When the installation is complete, log in to your Splunk as an admin on the instance that will be forwarding data.
Click Settings > Forwarding and receiving.

Set Up the Universal Forwarder

Before a forwarder can forward data, it must have a configuration.

Tell the forwarder what data to send.
Tell the forwarder where to send the data.

Because the universal forwarder does not have Splunk Web, the forwarder must be given a configuration during the installation. Install and configure Universal Forwarder on the server machine where Secret Server is installed. To install and configure Universal Forwarder:

Log in to Splunk Cloud with valid credentials.
Click Universal Forwarder and the Universal Forwarder window displays.
Click on the Splunk Downloads web page.
Select an Installation Package.
Double-click the MSI file to start the installation: splunkforwarder-8.0.3-a6754d8441bf-x64-release.msi.
Select the Check this box to accept the License Agreement checkbox.
Uncheck the Use this Universal Forwarder with on-premises Splunk Enterprise. Uncheck if you want this UniversalForwarder to contact a Splunk Cloud instance checkbox.
Create credentials for the admin account.
Enter the hostname of Splunk and the default port 8089.
Click Install.
After configuration of the universal forwarder go to the Splunk Cloud home page.
Click Universal Forwarder.
On the Splunk Cloud home page, click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
When prompted, click Save File and click OK. By default, the splunkclouduf.spl file downloads to the Downloads directory. If you download to a different location, make note of that location.
Move the splunkclouduf.spl file to the C:\ProgramFiles\SplunkUniversalForwarder\etc\apps directory of your forwarder.
Open a command prompt window and enter the following command:

tar xvf splunkclouduf.spl
Go to the /bin subdirectory of the deployment server.
Enter the following command in the command prompt window,

splunk install app \<full path to splunkclouduf.spl\> -auth\<username\>:\<password\>

where <full path to splunkclouduf.spl> is the path to the directory, where the splunkclouduf.spl file is located and <username>:<password> is the username and password of an existing admin account on the forwarder.
Restart your forwarder: /splunk restart.
Select Forwarding defaults.
Select Yes to store and maintain a local copy of the indexed data on the forwarder.
At Configure forwarding, click Add new.
Enter the hostname or IP address for the receiving Splunk instance(s) and the receiving port stated when the receiver was configured (for example, enter receivingserver.com:9997).
Click Save.
Click Setting > Server Control to go to Server Control.
Click Restart Splunk.
Download the SPL package from your Splunk cloud.

It's not the regular universal forwarder exe you get from Splunk (no need to install the separate universal forwarder software). https://yourcloudname.splunkcloud.com/en-US/app/splunkclouduf/setupuf
On the Splunk Cloud home page, click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
When prompted, click Save File and OK. By default, the splunkclouduf.spl file downloads to the Downloads directory. If you download to a different location, make note of that location.
Move the splunkclouduf.spl file to the, C:\ProgramFiles\Splunk\etc\apps directory of your enterprise.
Open a command prompt window and run the following command: tar xvf splunkclouduf.spl.
Go to the /bin subdirectory of your deployment server.
In the command prompt field, run the following command on your Splunk Heavy Forwarder (or the path that you installed Splunk):

Copy

    splunk install app \<full path to splunkclouduf.spl\| -auth
    \<usernameZZ_BAR_ZZ:\<passwordZZ_BAR_ZZ where \<full path to 
    splunkclouduf.spl\| is the path to the directory where the 
    splunkclouduf.spl file is located and \<username\|:\ 
    <password\| are the username and password of Splunk Enterprise.

Restart your forwarder: /splunk restart.
Once Splunk has restarted, confirm that the correct output.conf is installed.
Make sure that

C:\ProgramFiles\Splunk\etc\apps\yourcloudnamesplunkcloud\default\outsputs.conf is the same as C:\ProgramFiles\Splunk\etc\system\local\outputs.conf.
If the files above aren’t the same copy C:\ProgramFiles\Splunk\etc\apps\yourcloudnamesplunkcloud\default\outsputs.conf to C:\Program Files\Splunk\etc\system\local\outputs.conf and restart Splunk.

Install Splunk App for Secret Server

Click here to download the Splunk App (splunk-app-for-secret-server_11.tgz) for Secret Server.
Enter Splunk App for Secret Server in the Search field and click Enter.
The app’s page displays.
Click Download.
Log in to Splunk Enterprise.
Click the Gear icon next to Apps.
Select Install app from file and the Apps page displays.
Click Install app from file and a file selection window displays.
Click Choose File and locate and select the file previously downloaded.
Click Upload and the Restart Required window displays.
Click Restart Now.