https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153770#M31265 <P>Raised my maxkbs to 0 (unlimited) and it ran for 4 minutes.. instead of the ~45-60 minutes, changed it to 56kbps.. stopped after 22 minutes.</P> Wed, 07 May 2014 14:56:24 GMT aelliott 2014-05-07T14:56:24Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153767#M31262 <P>I have a windows domain controller with a universal forwarder.<BR /> I have Splunk_TA_Windows deployed out to it using the universal forwarder(this is the only app deployed),<BR /> I have an outputs.conf file pointing to my indexer port</P> <P>[tcpout:DomainControllers]<BR /> server=myserver.mycompany.com:6666</P> <P>I have my indexer with a splunk 2 splunk looking watching on port 6666</P> <P>I have this in my inputs.conf on the Universal forwarder:<BR /> [WinEventLog://Security]<BR /> disabled = 0 <BR /> start_from = oldest<BR /> current_only = 1<BR /> evt_resolve_ad_obj = 0<BR /> checkpointInterval = 5<BR /> index = dclogs</P> <P>The data is forwarded once to the indexer successfully, then does not send anything more, the logs simply say that is is phoning home.</P> <P>I send a small update to the splunk_ta_windows (such as adding a space) and it then sends the data to my indexer Once and only once.</P> <P>Here are the only possible errors that i see in the logs:</P> <PRE><CODE>TcpOutputFd - Read error. Either the application has not called WSAStartup, or WSAStartup failed. 05-06-2014 08:21:22.632 -0500 INFO TcpOutputProc - Connection to 44.44.44.44:6666 closed. Read error. Either the application has not called WSAStartup, or WSAStartup failed. ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - SysmonMigrator::read - 'sysmon.conf' was not found, no migration is required. </CODE></PRE> <P>More Logs:<BR /> 05-07-2014 16:28:49.717 -0500 DEBUG TcpOutputProc - channel registered<BR /> 05-07-2014 16:28:49.717 -0500 DEBUG TcpOutputProc - Pushed eventId=86331 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:49.717 -0500 DEBUG TcpOutputProc - channel registered<BR /> 05-07-2014 16:28:49.717 -0500 DEBUG TcpOutputProc - Pushed eventId=86332 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:49.717 -0500 DEBUG TcpOutputProc - channel registered<BR /> 05-07-2014 16:28:49.717 -0500 DEBUG TcpOutputProc - Pushed eventId=86333 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:49.732 -0500 DEBUG TcpOutputProc - channel registered<BR /> 05-07-2014 16:28:49.732 -0500 DEBUG TcpOutputProc - Pushed eventId=86334 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:49.732 -0500 DEBUG TcpOutputProc - channel registered<BR /> 05-07-2014 16:28:49.732 -0500 DEBUG TcpOutputProc - Unregistering Channel for : source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::mydc|splunkd|3744.44.44.444:6666, oneTimeClient=0, _events.size()=1, _refCount=2, _waitingAckQ.size()=0, _supportsACK=0<BR /> 05-07-2014 16:28:49.732 -0500 DEBUG TcpOutputProc - Pushed eventId=86335 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - numchannels = 0<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - ---- existing clients - start ----<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Client 444.444.44.444:6666, oneTimeClient=0, _events.size()=0, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - ---- existing clients - end ----<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - AutoLB timer started to select new connection<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Removing quarantine for idx=444.444.44.444:6666<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Pinging idx=444.444.44.444:6666<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Destryong AutoLBWrappedPollableDescriptor for 444.444.44.444:6666<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - BEGIN - randomizeConnectionsList<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Indexer uri 444.444.44.444:6666, client refCount=1, client=non-NULL<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - BEGIN - After sorting<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Indexer uri 444.444.44.444:6666, client refCount=1, client=non-NULL<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Found currently active indexer 444.444.44.444:6666, client refCount=1, client=non-NULL<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - getting connected clients<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Sending HB to 444.444.44.444:6666, oneTimeClient=0, _events.size()=0, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Sending hb from TcpOutputClient for 444.444.44.444:6666, oneTimeClient=0, _events.size()=0, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Connector::runRawStateMachine in state=eRawInit<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - tcpConnect to 444.444.44.444:6666<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - ConnectionSuccessful. _rawConnectionState=eRawTcpConnectInProgress<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Connector::runRawStateMachine in state=eRawTcpConnectDone<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Destryong AutoLBWrappedPollableDescriptor for 444.444.44.444:6666<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - channel not registered yet<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Registering Channel for : source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::mydc|splunkd|37444.444.44.444:6666, oneTimeClient=0, _events.size()=0, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Pushed eventId=86336 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - channel registered<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Pushed eventId=86337 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - channel registered<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - Pushed eventId=86338 on chanID=33 to back of tcp client (tcp output) queue<BR /> 05-07-2014 16:28:52.748 -0500 DEBUG TcpOutputProc - channel registered</P> Mon, 28 Sep 2020 16:32:47 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153767#M31262 aelliott 2020-09-28T16:32:47Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153768#M31263 <P>i think i've figured this out <BR /> <A href="http://answers.splunk.com/answers/64554/starting-point-of-index">http://answers.splunk.com/answers/64554/starting-point-of-index</A></P> Tue, 06 May 2014 14:28:25 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153768#M31263 aelliott 2014-05-06T14:28:25Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153769#M31264 <P>Now it went for about 45 minutes, then stopped</P> <P>metrics.log states: 05-06-2014 10:50:42.121 -0500 INFO StatusMgr - destPort=6666, eventType=connect_done, sourceHost=44.44.44.44, sourceIp=44.44.44.44, sourcePort=50138, statusee=TcpInputProcessor<BR /> 05-06-2014 10:50:42.121 -0500 INFO StatusMgr - sourcePort=6666, ssl=false, statusee=TcpInputProcessor<BR /> 05-06-2014 10:50:42.340 -0500 INFO StatusMgr - destPort=6666, eventType=connect_close, sourceHost=44.44.44.44, sourceIp=44.44.44.44, sourcePort=50138, statusee=TcpInputProcessor</P> <P>so my domain controller 44.44.44.44 is still connecting to the indexer</P> Mon, 28 Sep 2020 16:32:50 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153769#M31264 aelliott 2020-09-28T16:32:50Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153770#M31265 <P>Raised my maxkbs to 0 (unlimited) and it ran for 4 minutes.. instead of the ~45-60 minutes, changed it to 56kbps.. stopped after 22 minutes.</P> Wed, 07 May 2014 14:56:24 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153770#M31265 aelliott 2014-05-07T14:56:24Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153771#M31266 <P>This is specifically my Windows Security Event Logs, the splunk logs get forwarded just fine.</P> Wed, 07 May 2014 18:56:59 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153771#M31266 aelliott 2014-05-07T18:56:59Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153772#M31267 <P>Just learned that our server is on Windows 2012 R2, Will be getting the splunk 6.1 forwarder on there sometime to verify that is our issue.</P> Thu, 08 May 2014 14:13:36 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153772#M31267 aelliott 2014-05-08T14:13:36Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153773#M31268 <P>This was indeed the issue, updated to 6.1 and it is now successfully forwarding.</P> Thu, 08 May 2014 21:29:03 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Universal-Forwarder-stops-forwarding-after-one-successful/m-p/153773#M31268 aelliott 2014-05-08T21:29:03Z