topic Re: Universal Forwarder from Linux to Windows Server in Getting Data In

Universal Forwarder from Linux to Windows Server

4Msplunk — Fri, 22 Mar 2013 18:30:22 GMT

Hi,
I am trying to set up a Universal Forwarder on a Linux box to send Security info to a Windows Server hosting Splunk.
I used the below command on the linux box after installing the univiersal forwarder:
./splunk add monitor /var/log/ - sourcetype syslog
But on the Windows Server,
All I see is messages like “x00\x5\x00\x4\xFF\x2\x1\x00”
I would like to see something more readable and preferable related to the security log.
Any suggestions?
Thanks.

Re: Universal Forwarder from Linux to Windows Server

martin_mueller — Fri, 22 Mar 2013 18:36:27 GMT

Make sure your indexer is set to receive forwarded data on that port, and is not set to receive data as a TCP/UDP input.

Re: Universal Forwarder from Linux to Windows Server

4Msplunk — Fri, 22 Mar 2013 19:12:44 GMT

Hi,
Thank you for the reply, but I am set to receive data on a TCP port.

I had a similar problem with the Windows machines that I installed Universal Forwarder, but a commenter's reply to another post suggested changing the outputs.conf file's sendCookedData value from true to false, and like magic I could read the messages. But, it did not work on the Linux Universal Forwarder machine's outputs.conf file. I still got messages like \x00\x5\x00\x4\xFF\x2\x1\x00
Any Suggestions?
Thanks,

Re: Universal Forwarder from Linux to Windows Server

Ayn — Fri, 22 Mar 2013 20:53:19 GMT

Note that there is a difference between a raw TCP input and a TCP port for receiving forwarded data from another Splunk instance. In inputs.conf terms, you want a splunktcp input, not a tcp input.

Re: Universal Forwarder from Linux to Windows Server

martin_mueller — Fri, 22 Mar 2013 21:25:53 GMT

Or, in webinterface terms, Manager -> Forwarding and Receiving -> Configure receiving.