topic Re: Why are Windows event logs not being forwarded to the specified index with my current configuration? in Getting Data In

Why are Windows event logs not being forwarded to the specified index with my current configuration?

bravehearts9787 — Wed, 11 May 2016 06:43:42 GMT

I have a universal forwarder installed on my Windows server. I am trying to send Event Logs with certain Event Types to the Indexer server. In addition to that, I am sending files stored in my server location to the indexer server. All these data need to be sent to a particular index within the indexer server. However, when I search the indexer with the Index name, I am not able to get any results.

inputs.conf from my Forwarder:

[default]
host = WIN2K3CPT

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = SourceName="^RC_ProcessInstAppService_Failure$"
whitelist1 = SourceName="^RC_ProductTransferService_Failure$"
whitelist2 = SourceName="^RC_MarketOfferProcessor_Failure$"
whitelist3 = EventType="Warning"

[monitor://F:\inetpub\wwwroot\T3Report]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = CMC\.txt|RC\.txt

props.conf from the Indexer server:

[srcapplogrc]
TRANSFORMS-index=sendtoapplogrc

transforms.conf from the indexer server:

[sendtoapplogrc]
REGEX=.
DEST_KEY = _MetaData:Index
FORMAT = applogrc

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

woodcock — Wed, 11 May 2016 17:11:08 GMT

The terms index and indexer are different things. I see your configuration for sending to particular index values but if you are trying to send some stuff to certain indexers, we need to see your outputs.conf.

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

bravehearts9787 — Thu, 12 May 2016 11:57:54 GMT

Thanks. Here it is:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = server1.mydomain.com:11070

[tcpout-server://server1.mydomain.com:11070]

Note: All these conf files are in system\local folder. And I did try restarting the Splunk Instance post changes.

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

jkat54 — Thu, 12 May 2016 13:00:19 GMT

Hi, there's no need for the props and transforms in this case because you're specifying the index in the inputs.conf stanza.

Have you made sure that port 11070 is open from your machine to the other machine? Firewalls can block this connection, such as windows firewall, network firewalls, linux firewalls (iptables, apparmor), etc.

Also to be sure, the inputs and outputs .conf files should be on the universal forwarder, not the splunk indexer. You mentioned inputs.conf was on the UF but nothing about the location of outputs.conf. So I'm just checking to be sure.

Finally, i removed your internal server names from your post for your own protection.

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

bravehearts9787 — Fri, 13 May 2016 09:18:43 GMT

Thanks Michael. The location of my outputs.conf is within the UF (etc/system/local) itself. Also, I did a telnet for the port 11070. Its open.
Is there anything specific that we need to configure within the Forwarder for it to actually start forwarding data? I am of the assumption that it starts sending the data automatically once the Output.conf is placed and Instance restarted.

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

jkat54 — Fri, 13 May 2016 09:41:04 GMT

That's all it takes so long as the account splunkd is running under has permissions to read the data you're looking for and then receiving is enabled on the indexers on that port.

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

jkat54 — Tue, 17 May 2016 14:02:15 GMT

@ppablo_splunk hey man, is there anyway we can delete/edit the comments the op made that contained his server names from the question history?