topic Re: Integration Issue in Getting Data In

No events from Universal Forwarder

aly347774 — Mon, 22 Jan 2024 08:29:17 GMT

I installed Universal Forwarder On Linux Machine and integrate it with Splunk , but their is no logs returned on Splunk Search Head , as per your Knowledge I`m currently working on distributed Splunk Enterprise .

Any Recommendations ?

Re: Integration Issue

PickleRick — Mon, 22 Jan 2024 08:28:20 GMT

What do you mean by "I integrated my UF with Splunk"?

Also the usual questions.

1. Do you have _any_ events from this forwarder (especially forwarder's own logs in _internal index) in your Splunk?

2. Do you have connectivity from your UF to your receiving component(s)? Did you verify it manually?

3. Did you check your forwarder's logs ($SPLUNK_HOME/var/log/splunk/splunkd.log) for errors?

Re: No events from Universal Forwarder

aly347774 — Mon, 22 Jan 2024 10:33:42 GMT

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

Re: Integration Issue

aly347774 — Mon, 22 Jan 2024 10:36:26 GMT

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

Re: No events from Universal Forwarder

PickleRick — Mon, 22 Jan 2024 10:37:31 GMT

OK. You downloaded and installed the UF. I assume you started it as well. But as you are apparently using a Deployment Server, did you configure your UF to connect to that DS?

Re: No events from Universal Forwarder

aly347774 — Tue, 23 Jan 2024 06:28:29 GMT

I have specified a specific index so that we can send the logs to it, but when I search in the search head, there are no logs found.
Do I have to specify anything in the Input.conf file?

Re: Integration Issue

PickleRick — Tue, 23 Jan 2024 19:05:48 GMT

OK. Maybe you misunderstand how Splunk works. You don't "connect splunk to a linux server". You install UF on a server and (and that might be one of the parts you're missing) you're making it send events to Splunk.

So, did you verify any of those things I asked you earlier?