topic Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server? in Getting Data In

Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

GLCFSCS — Thu, 13 Nov 2014 02:24:34 GMT

I have a new standalone Splunk install that I want to test. It's installed on Windows.

I want to monitor the Windows Security event log of a remote Windows Server. I have installed the UF on this server.

There is a connection between the remote Windows server and the Splunk server, so that eliminates firewall and networking problems.

I am not seeing the Windows Security events on the Splunk server however.

What am I missing?

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

GLCFSCS — Thu, 13 Nov 2014 03:23:16 GMT

Addinitial info ... I get this error in Splunk:

received event for unconfigured/disabled/deleted index='wineventlog' with source='source::WinEventLog:Security' host='host::SERVER01' sourcetype='sourcetype::WinEventLog:Security' (1 missing total)

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

s72ucor — Thu, 13 Nov 2014 03:30:42 GMT

On the UF make sure the Windows app has security event logs enabled in inputs.conf. Check to ensure output.conf is configured to send logs to your Splunk server.

On the Splunk server make sure your inputs.conf is configured to listen on 9997 (or your configured port). Make sure indexes.conf is configured with an index for security events. You'll need to create an index called msad unless you've selected another index on the UF.

Check splunkd.log for errors. Use netstat to see if the UF is sending/established on TCP 9997 and if the Splunk server is listening on tcp 9997. Even though you said they had a direct connection, make sure the windows firewall isn't blocking outbound ports from the UF and that the Splunk server is not being blocked inbound.

Between the conf files, netstat, firewalls, and log files you should see something. Also, try an obligatory UF service restart.

Let us know if any of these steps help.

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

s72ucor — Thu, 13 Nov 2014 03:33:13 GMT

Did you create that index on your Splunk server?

That error means that it tried to write to an index that isn't there.

Create the index and the events should go away.

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

s72ucor — Thu, 13 Nov 2014 03:34:16 GMT

s/events/errors/

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

GLCFSCS — Thu, 13 Nov 2014 03:39:20 GMT

OK, I created the index "wineventlog" and it's working.

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

scc00 — Wed, 20 Jan 2016 19:30:33 GMT

Make sure your Indexers also have the Splunk App for Windows Infrastructure app and windows add-on installed. If the Indexers don't have the apps and related add-on you won't see any event data.

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

Michael — Tue, 16 Aug 2016 16:22:28 GMT

I have a similar problem. I installed the UF, but the inputs.conf did NOT including the system, apps, or security events even though I selected them during install. I manually added, restarted. Confirmed forward destination is correct (outputs.conf).

Something you can test is make sure the networking (firewalls) are all OK with "netstat -an" to confirm they are communicating. This is almost always the problem (but not in this time...).

In my case, they are communicating, but no events are being forwarded even though they are being generated (confirmed with local Event Viewer).

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

chrisdavies76 — Thu, 08 Sep 2016 15:25:19 GMT

Hi, I am also having same problem as Michael. Splunk installed on Linux host taking in syslog no problem. Two UF installed on two Windows2012R2 hosts, not sending windows event logs despite selecting them during UF install. Any ideas? Thanks,Hi, having exact same problem as Michael. I am new to Splunk and am reading as much as I can but would appreciate a point in the right direction to sort this out. I have Splunk Enterprise installed on a Linux host and working correctly taking in syslog. I have two universal forwarders installed on Windows 2012R2 hosts, one has IIS on and is sending the logs to the indexer correctly. Just no Windows Event Logs 😞

Chris

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

Michael — Thu, 08 Sep 2016 16:30:31 GMT

In my case, I followed the answer below and created the said index (wineventlog) and it worked.

Discovered this is default with the UF on Windows systems that it sends to this directory, not "main". I'm sure it says as much during the installation, but I must have missed it -- if not, it should be...

Apologies; not much to offer (yet) on the Linux issue (SELinux?). Although, this has always been a firewall issue for me on 'nix in the past...

Re: Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

Michael — Thu, 08 Sep 2016 16:31:45 GMT

Ya, that message needs to be more prominent during the UF install -- that this needs to be done. This is going to burn a lot of people...