topic Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers in Deployment Architecture

Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

KulvinderSingh — Fri, 26 Nov 2021 10:03:04 GMT

hi All,

I need to send windows event logs from Splunkforwarder to Indexers via a heavyforwarder.

I have done some configuration but it seems like something is incorrect as I am getting cooked data in splunk instead of logs.

All the help is appreciated.

regards,

Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

PickleRick — Fri, 26 Nov 2021 10:18:32 GMT

We don't know your config but I'd dare to guess that you're sending to tcp: input instead of splunktcp: one.

Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

KulvinderSingh — Fri, 26 Nov 2021 10:29:50 GMT

Splunk forwarder: outputs.conf

[tcpout]
defaultGroup=xxxhf

[tcpout:xxxhf]
autoLBFrequency=40
server=x.x.x.x:xxxx
useACK=true
indexandforward=false

Heavy forwarder : inputs.conf

[tcp://xxxxx]

sourcetype=WinEventLog
index=xxxxx
disabled = 0

inputs on indexers :

[splunktcp:xxxx]

Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

PickleRick — Fri, 26 Nov 2021 10:38:50 GMT

You have tcp: on HF, as I said. You need to send from UF to HF on splunktcp input.

Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

KulvinderSingh — Fri, 26 Nov 2021 10:45:09 GMT

Okay got it, I have changed it to splunktcp on forwarder and even I can read the logs in splunk SH but still sourcetype of logs is coming in as xmlWinEventlog instead of WinEventLog. I have the SpluK_TA_Windows on indexers as well as on HF and SF. But this I think is close to resolving the issue if i can just sort this small thing.

Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

PickleRick — Fri, 26 Nov 2021 13:47:07 GMT

You define the sourcetype and whether you want the events rendered as xml or in "old format" in inputs.conf

Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

KulvinderSingh — Fri, 26 Nov 2021 14:20:13 GMT

so you mean to say in splunkforwarder inputs.conf i should set renderXML = false and that should fix it or will i have to do that everywhere like on SF,HF,IX all 3 places? sorry doing this for the first time. Getting windows logs is easiest of all but the way i am trying its looking very difficult.

thanks in advance.

Re: Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

PickleRick — Fri, 26 Nov 2021 15:28:38 GMT

OK. Baby steps 🙂

In the inputs.conf file on the UF you set how you want the events from the EventLog pulled - as XML or not.

Then you send it to HF, which sends data to indexer(s).

The app installed on the SH-s are responsible for search-time extractions.

I don't remember if the TA for windows does any index-time data modifications - you have to check the docs. If it does, you'd also need it on the HF. But I don't recall installing it there.