topic Windows_TA_addon inputs in All Apps and Add-ons

Windows_TA_addon inputs

tthonest — Wed, 30 Sep 2020 01:28:17 GMT

Unable to see any logs even after configuring inputs.conf under Splunk_TA_Windows > local.

I should at least see perfmon. here's my config to keep it basic.

[WinEventLog://Security]
disabled = 0
index = security
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=0

my logs are showing success to connecting to indexers but

07-28-2019 13:43:19.292 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed (splunk cloud)

Re: Windows_TA_addon inputs

gcusello — Mon, 29 Jul 2019 09:34:50 GMT

Hi tthonest,
I don't think that the problem is in the inputs.conf but probably in outputs.conf.

At first check the connection (open ports) between your server and the Splunk cloud (using telnet).
Then what port did you configured to send logs from the forwarder to Splunk Cloud? I see 8000, but this is the web interface port, by default logs are sent using the 9997 port.
Check in your Splunk Cloud if you're receiving (probably not!) internal logs from the forwarder

index=_internal host=your_host

Bye.
Giuseppe

Re: Windows_TA_addon inputs

tthonest — Wed, 30 Sep 2020 01:28:27 GMT

Hey Guiseppe,

apologies, to clarify...

07-29-2019 10:37:42.100 -0700 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0.
07-29-2019 10:37:58.589 -0700 WARN TcpOutputFd - Connect to x.x.x.x:8000 failed. No connection could be made because the target machine actively refused it.
07-29-2019 10:37:58.589 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed
07-29-2019 10:38:14.324 -0700 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_x.x.x.x_8089_ip-x-x-x-x-.ec2.internal_myWorkStation_...
07-29-2019 10:38:16.034 -0700 WARN TcpOutputFd - Connect to x.x.x.x:8000 failed. No connection could be made because the target machine actively refused it.
07-29-2019 10:38:16.034 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed

I've validated the logs, it does say 9997 is connected and to my multiple indexer clusters which is what I want. I dont know why it's trying to connect to my splunkcloud.com web UI, i just assume since it's failing i should make sure it's successfully establish a connection. Regardless I dont see logs under my splunk cloud instance at all.

my inputs file is quite straight forward...

inputs.conf (SPLUNKHOME\etc\apps\Splunk_TA_windows\local)
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

so when I go into SplunkCloud i expect to see index=* or index=security, i've manually created the index in splunk cloud already.

Re: Windows_TA_addon inputs

gcusello — Tue, 30 Jul 2019 08:41:45 GMT

Hi tthonest,
inputs.conf seems to be correct, so I think that the problem is somewhere else, probably outputs.conf.
You can debug configuration files using btool command https://docs.splunk.com/Documentation/Splunk/7.3.0/Troubleshooting/Usebtooltotroubleshootconfigurations
Bye.
Giuseppe

Re: Windows_TA_addon inputs

tthonest — Tue, 30 Jul 2019 19:27:23 GMT

Hello, okay I dont see an outputs.conf file under local.

Re: Windows_TA_addon inputs

gcusello — Wed, 31 Jul 2019 07:19:17 GMT

Hi tthonest,
search outputs.conf in your installation, it must be present (I see in your logs "Connected to idx=x.x.x.x:9997"), otherwise you cannot send logs to indexers or Heavy Forwarders.
Bye.
Giuseppe