topic Re: Univeral forwarder not forwarding in Getting Data In

Univeral forwarder not forwarding

systemsatpayzon — Mon, 28 Sep 2020 14:04:30 GMT

I have a problem with a universal forwarder as i configured on a domain controller to use with splunk app for active directory. The forwarder is not forwarding anything. what i have done so far:
1. installed the forwarder to gather remote data and used an domain admin account. i did not check any of the checkboxes during the installation. but i typed in the reciving indexer when asked for
2. i have downloaded and copied the folders Splunk_TA_windows, TA-DNSServer-NT6 and TA-DomainController-NT6 to the apps directory on the universal forwarder
3. I have put a inputs.conf file under Splunk_TA_windows\local folder and then restarted the forwarder

But noting is sent to indexer. I am sure that there is no firewall or anything like that blocking because i first installed the forwarder as usual and checked the security log input in the installation wizard (after reading the manual about splunk app for active directory i uninstalled it) and saw that events where sent to and recieved by the indexer.

Re: Univeral forwarder not forwarding

MHibbin — Wed, 12 Jun 2013 11:34:28 GMT

Have you seen anything in the logs on the universal forwarder?

$SPLUNK_HOME\var\log\splunk\splunkd.log

Re: Univeral forwarder not forwarding

systemsatpayzon — Wed, 12 Jun 2013 11:52:40 GMT

What should i look for? the rows below seems suspicious..

6-12-2013 12:17:13.440 +0200 ERROR TcpOutputFd - Read error. Either the application has not called WSAStartup, or WSAStartup failed.
06-12-2013 12:17:13.440 +0200 INFO TcpOutputProc - Connection to 192.168.19.47:9997 closed. Read error. Either the application has not called WSAStartup, or WSAStartup failed.

[EDIT]
further down this message is written, so i guess that there are no connection problem
INFO TcpOutputProc - Connected to idx=192.168.19.47:9997

Re: Univeral forwarder not forwarding

systemsatpayzon — Wed, 12 Jun 2013 12:50:30 GMT

[EDIT2]

Domain and dns information seems to be sent to the indexer, but not any logs from the security, application or system event log

Re: Univeral forwarder not forwarding

starcher — Mon, 28 Sep 2020 14:06:20 GMT

I would double check your inputs.conf file under your Splunk_TA_Windows app. Personally I always copy the inputs.conf from the default to the local folder then edit the stanzas for the appropriate event viewer containers and add the line index=... where you specify the index you want the logs to go into assuming you are not sending them to the default index.

You did not mention setting up an outputs.conf to point to your indexer. Though if 192.168.19.47 is your indexer then you probably did that.

Re: Univeral forwarder not forwarding

systemsatpayzon — Mon, 28 Sep 2020 14:06:43 GMT

thanks for the tips.. here is a snippet from my inputs.conf found in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local

[default]

evt_dc_name =

evt_dns_name =

OS Logs

[WinEventLog:Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

[WinEventLog:Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

[WinEventLog:System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

Re: Univeral forwarder not forwarding

systemsatpayzon — Tue, 18 Jun 2013 06:58:42 GMT

When i removed the app folder TA-DNSServer-NT6 from splunk and restarted splunk it starts to forward events! the server is a DC with ad integrated DNS.