topic Re: windows sytem logs are not coming to splunk in All Apps and Add-ons

windows system logs are not coming to splunk

AL3Z — Tue, 04 Mar 2025 10:19:34 GMT

Hi,

I set up a Splunk lab on my Windows 10 laptop, where both the Splunk Forwarder and Splunk Server are installed on the same host. After installing the Splunk Add-on for Windows, I created an inputs.conf file in the local folder under etc/apps.

###### OS Logs ######
[WinEventLog://Application]
disabled = 0
index = "windows_logs"
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=0

Despite this setup, I don't see any Windows logs in Splunk.

Re: windows sytem logs are not coming to splunk

livehybrid — Tue, 04 Mar 2025 08:43:11 GMT

Hi @AL3Z

Just for clarity, did you put the inputs.conf within an app folder in $SPLUNK_HOME/etc/apps (e.g $SPLUNK_HOME/etc/apps/yourApp/local/inputs.conf ? Rather than $SPLUNK_HOME/etc/apps/local/inputs.conf (incorrect) ?

When you refer to "Splunk Forwarder and Splunk Server are installed on the same host" - Is this two deployments of Splunk on the same instance? If so, have you confirmed that your forwarder deployment is able to send its internal logs to the main instance.

Please review the _internal logs logs to confirm your forwarder is sending logs to your main Splunk instance (if applicable) and also if there are any errors relating to the Windows TA.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: windows sytem logs are not coming to splunk

gcusello — Tue, 04 Mar 2025 09:40:08 GMT

Hi @AL3Z ,

i don't think that you can install on the same VM both Spunk Enterprise and Splunk Universal Forwarder because they have the same IP and hostname and it's completely unuseful.

If you want to test the windows logs ingestion from the local machine, you don't need to use the UF and you can use your Splunk instance to create the input (you can do it also by GUI but It's always better to use the Splunk_TA_Windows enabling the interesting inputs).

If instead you want to test the connection between an UF and an Indexer, you have to use two different VMs and, on the UF, install the Splunk_TA_Windows enabling the interesting inputs.

Ciao.

Giuseppe

Re: windows sytem logs are not coming to splunk

AL3Z — Tue, 04 Mar 2025 10:04:24 GMT

Hi, @livehybrid

> I had placed the inputs.conf file within an app folder $SPLUNK_HOME/etc/apps/yourApp/local/inputs.conf only.

> Splunk Forwarder and Splunk Server are installed on the same host, yes forwarder deployment is sending its internal logs to the main instance.

Re: windows system logs are not coming to splunk

AL3Z — Tue, 04 Mar 2025 10:58:52 GMT

Hi @livehybrid, @gcusello,

Adding the inputs to C:\Program Files\SplunkUniversalForwarder\etc\system\local
I can able to see the logs in splunk.

Re: windows sytem logs are not coming to splunk

livehybrid — Tue, 04 Mar 2025 11:14:44 GMT

@AL3Z So you are seeing 2 hostnames in your internal logs?

And/Or sources from both:
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
and
C:\Program Files\Splunk\var\log\splunk\splunkd.log

Does the windows_logs index exist on your main Splunk instance?

In the context of the SplunkUniversalForwarder, can you run:

C:\Program Files\SplunkUniversalForwarder\bin\splunk cmd btool inputs list

Do your expected Windows inputs get listed?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: windows system logs are not coming to splunk

gcusello — Tue, 04 Mar 2025 11:55:41 GMT

Hi @AL3Z ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: windows sytem logs are not coming to splunk

AL3Z — Tue, 04 Mar 2025 13:30:39 GMT

Hi @livehybrid ,

I'm seeing only the 1 hostname in the internal logs.

Yes windows_logs index exist on main Splunk instance.

When i ran the btool cmd i can see the windows inputs list.

Thanks..

Re: windows sytem logs are not coming to splunk

livehybrid — Tue, 04 Mar 2025 13:49:15 GMT

Hi @AL3Z

Okay, so that tells us that the inputs on the UF should be working, however the single hostname in the _internal log is inconclusive, as if the UF is on the same server as the main instance it would have the same hostname unless you have specifically modified the serverName on one of the instance? As @gcusello mentioned, having both on the same server/machine will be making things more complicated.

Essentially what we're trying to establish here is if the flow isnt going from the UF, or if the input isnt working. Im starting to suspect that the data isnt going from the UF, so I think it would be good to establish some proof either way.

If you search "index=_internal source=*splunkd.log" - How many source do you see in the interested fields on the left? If the UF is sending then you should see 2.

How have you configured the forwarding of the data from UF the main instance, and how have you configured the main instance to listen (Presumably on port 9997)?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: windows sytem logs are not coming to splunk

AL3Z — Tue, 04 Mar 2025 16:24:14 GMT

Hi @livehybrid,

I did'nt modify the serverName on my instance.

If i search "index=_internal source=*splunkd.log" - I would see the 2 sources in the interested fields.

I had configured the forwarding of the data from UF and the main instance both using port 9997.

In real time uf and server should not be on the same machine right?

Thanks..

topic Re: ** windows sytem logs are not coming to splunk ** in All Apps and Add-ons

** windows system logs are not coming to splunk **

Re: ** windows sytem logs are not coming to splunk **

Re: ** windows sytem logs are not coming to splunk **

Re: ** windows sytem logs are not coming to splunk **

Re: ** windows system logs are not coming to splunk **

Re: ** windows sytem logs are not coming to splunk **

Re: ** windows system logs are not coming to splunk **

Re: ** windows sytem logs are not coming to splunk **

Re: ** windows sytem logs are not coming to splunk **

Re: ** windows sytem logs are not coming to splunk **

topic Re: windows sytem logs are not coming to splunk in All Apps and Add-ons

windows system logs are not coming to splunk

Re: windows sytem logs are not coming to splunk

Re: windows sytem logs are not coming to splunk

Re: windows sytem logs are not coming to splunk

Re: windows system logs are not coming to splunk

Re: windows sytem logs are not coming to splunk

Re: windows system logs are not coming to splunk

Re: windows sytem logs are not coming to splunk

Re: windows sytem logs are not coming to splunk

Re: windows sytem logs are not coming to splunk