https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/571957#M101249 <P>Dears,&nbsp;</P><P>We have the deployment server in DMZ zone and indexers are in DRN zone. So windows team is pushing the packages using SCCM to our DMZ deployment servers and we can see those clients in our deployment servers but we are not seeing single logs in our splunk that means data is not indexing into our splunk.&nbsp;</P><P>Please find the attached architecture screenshot for your reference .&nbsp;</P><P>More details :&nbsp;</P><P>1. Deployment servers in DMZ zone</P><P>2. Indexers are in DRN zone&nbsp;</P><P>&nbsp;</P><P>#################</P><P>The below one is for Windows DMZ&nbsp; log sources to windows universal forwarder</P><P>[root@********local]# cat outputs.conf<BR />[tcpout]<BR />defaultGroup = xxxx_idx_win_prod<BR />indexAndForward = false</P><P>[indexAndForward]<BR />index = false</P><P>[tcpout:xxxx_idx_win_prod]<BR />autoLBVolume = 1048576<BR />server = xxxxsplkwinfrwdr001.xxxxx.xx.xxxx:9997, xxxxsplkwinfrwdr002.xxxxx.xx.xxxx:9997<BR />sslPassword = password<BR />clientCert = $SPLUNK_HOME/etc/auth/server.pem<BR />autoLBFrequency = 5<BR />useACK = true</P><P>########################################</P><P>Deployment server configuration :- This will applicable for PROD DRN indexers - Forwarders to indexers&nbsp;</P><P>/opt/splunk/etc/deployment-apps/xx-xxxx_xxxx_idx_prod_outputs/local</P><P>cat outputs.conf<BR />[tcpout]<BR />defaultGroup = xxxx_idx_prod<BR />indexAndForward = false</P><P>[indexAndForward]<BR />index = false</P><P>[tcpout:xxxx_idx_prod]<BR />autoLBVolume = 1048576<BR />server = &lt;all drn indexers ip address mentioned here with 9997 port&gt;<BR />sslPassword = password<BR />clientCert = $SPLUNK_HOME/etc/auth/server.pem<BR />autoLBFrequency = 5<BR />useACK = true</P><P>&nbsp;</P><P>#######################</P><P>inputs.conf&nbsp;</P><P>cat inputs.conf<BR />[splunktcp-ssl:9997]<BR />disabled=0<BR />[SSL]<BR />sslPassword = password<BR />clientCert = $SPLUNK_HOME/etc/auth/server.pem&nbsp;</P><P>Kindly advise us on this.&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Splunk DMZ Flow (005).jpg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16544iA894048D557E1C1B/image-size/large?v=v2&amp;px=999" role="button" title="Splunk DMZ Flow (005).jpg" alt="Splunk DMZ Flow (005).jpg" /></span></P><P>&nbsp;</P> Fri, 22 Oct 2021 07:34:38 GMT kiranpanchavat1 2021-10-22T07:34:38Z https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/571957#M101249 <P>Dears,&nbsp;</P><P>We have the deployment server in DMZ zone and indexers are in DRN zone. So windows team is pushing the packages using SCCM to our DMZ deployment servers and we can see those clients in our deployment servers but we are not seeing single logs in our splunk that means data is not indexing into our splunk.&nbsp;</P><P>Please find the attached architecture screenshot for your reference .&nbsp;</P><P>More details :&nbsp;</P><P>1. Deployment servers in DMZ zone</P><P>2. Indexers are in DRN zone&nbsp;</P><P>&nbsp;</P><P>#################</P><P>The below one is for Windows DMZ&nbsp; log sources to windows universal forwarder</P><P>[root@********local]# cat outputs.conf<BR />[tcpout]<BR />defaultGroup = xxxx_idx_win_prod<BR />indexAndForward = false</P><P>[indexAndForward]<BR />index = false</P><P>[tcpout:xxxx_idx_win_prod]<BR />autoLBVolume = 1048576<BR />server = xxxxsplkwinfrwdr001.xxxxx.xx.xxxx:9997, xxxxsplkwinfrwdr002.xxxxx.xx.xxxx:9997<BR />sslPassword = password<BR />clientCert = $SPLUNK_HOME/etc/auth/server.pem<BR />autoLBFrequency = 5<BR />useACK = true</P><P>########################################</P><P>Deployment server configuration :- This will applicable for PROD DRN indexers - Forwarders to indexers&nbsp;</P><P>/opt/splunk/etc/deployment-apps/xx-xxxx_xxxx_idx_prod_outputs/local</P><P>cat outputs.conf<BR />[tcpout]<BR />defaultGroup = xxxx_idx_prod<BR />indexAndForward = false</P><P>[indexAndForward]<BR />index = false</P><P>[tcpout:xxxx_idx_prod]<BR />autoLBVolume = 1048576<BR />server = &lt;all drn indexers ip address mentioned here with 9997 port&gt;<BR />sslPassword = password<BR />clientCert = $SPLUNK_HOME/etc/auth/server.pem<BR />autoLBFrequency = 5<BR />useACK = true</P><P>&nbsp;</P><P>#######################</P><P>inputs.conf&nbsp;</P><P>cat inputs.conf<BR />[splunktcp-ssl:9997]<BR />disabled=0<BR />[SSL]<BR />sslPassword = password<BR />clientCert = $SPLUNK_HOME/etc/auth/server.pem&nbsp;</P><P>Kindly advise us on this.&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Splunk DMZ Flow (005).jpg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16544iA894048D557E1C1B/image-size/large?v=v2&amp;px=999" role="button" title="Splunk DMZ Flow (005).jpg" alt="Splunk DMZ Flow (005).jpg" /></span></P><P>&nbsp;</P> Fri, 22 Oct 2021 07:34:38 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/571957#M101249 kiranpanchavat1 2021-10-22T07:34:38Z https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/571966#M101250 <P>There are some typical steps you can troubleshoot in such situation:</P><P>1) Check what is the final configuration of your forwarders with btool</P><P>2) Check whether you do have network connectivity (if you use mutual authentication, which is a good thing, you should do it with a tool that supports TLS auth and check if you can authenticate with your crypto material)</P><P>3) Check the logs on both sides for any connection-related errors</P><P>4) Dump the network traffic and see how the connection tries go</P> Fri, 22 Oct 2021 08:21:15 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/571966#M101250 PickleRick 2021-10-22T08:21:15Z https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/572191#M101272 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;</P><P>We can see the below errors in deployment servers</P><P>10-14-2021 12:22:42.659 +0300 WARN HttpListener - Socket error from 173.1.194.87:57778 while idling: Read Timeout<BR />10-14-2021 12:30:39.833 +0300 WARN HttpListener - Socket error from 173.1.196.88:53694 while idling: Read Timeout<BR />10-14-2021 15:43:05.850 +0300 WARN HttpListener - Socket error from 173.1.194.88:57415 while idling: Read Timeout<BR />10-14-2021 15:48:27.204 +0300 WARN HttpListener - Socket error from 173.1.194.76:63420 while idling: Read Timeout<BR />10-14-2021 15:57:15.789 +0300 WARN HttpListener - Socket error from 173.1.194.58:58735 while idling: Read Timeout<BR />10-14-2021 16:07:40.478 +0300 WARN HttpListener - Socket error from 173.1.194.59:59241 while idling: Read Timeout<BR />10-14-2021 16:15:52.728 +0300 WARN HttpListener - Socket error from 173.1.194.60:56266 while idling: Read Timeout<BR />10-14-2021 16:42:01.798 +0300 WARN HttpListener - Socket error from 173.1.194.61:50263 while idling: Read Timeout<BR />10-14-2021 16:52:24.384 +0300 WARN HttpListener - Socket error from 173.1.194.62:54696 while idling: Read Timeout<BR />10-14-2021 17:04:25.910 +0300 WARN HttpListener - Socket error from 173.1.196.89:64325 while idling: Read Timeout<BR />10-14-2021 17:11:19.243 +0300 WARN HttpListener - Socket error from 173.1.214.14:58889 while idling: Read Timeout</P> Mon, 25 Oct 2021 06:12:39 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/572191#M101272 kiranpanchavat1 2021-10-25T06:12:39Z https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/572200#M101274 <P>This on its own should not mean anything serious. Just that some unused connections are getting timed-out. It probably means that there is some misconfiguration on network level because open connections should get properly closed if not used but it's not a big deal.</P><P>And deployment server on its own has nothing to do with sending logs from forwarders to indexers.</P><P>So check other points.</P> Mon, 25 Oct 2021 07:58:22 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-logs-are-not-ingesting-into-splunk/m-p/572200#M101274 PickleRick 2021-10-25T07:58:22Z