topic Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent? in Getting Data In

After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jhingley — Mon, 07 Dec 2015 14:06:00 GMT

Hello

I upgraded to a 6.3.1 Splunk forwarder on a Windows 2012 server. Connectivity is fine and Security logs are coming through, but I can't see Application or System logs (I ensured all three boxes had been checked during the installation process) - I checked 'system>local>inputs.conf' and added the stanzas detailed on this site [WinEventLog://Application], etc, but no joy .

The previous version was 6.1.2 and all logs were coming through. I uninstalled the new version and put this back on - all logs were seen (I didn't need to change the inputs.conf file either) .

Have checked splunkd.log after restarting the service, but I can't see a message that details what I am doing wrong - all help appreciated!

btw, the Splunk Indexer and the web server are running OEL6, if this has any bearing. They are working correctly .

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Mon, 07 Dec 2015 22:19:01 GMT

I'm having the same exact problem, except worse.
This is a brand new install and only the Windows Setup event logs are being forwarded.

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jhingley — Tue, 08 Dec 2015 09:13:26 GMT

Glad its not just me! I am running W2K12 R1 - do you have the same setup ?

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Tue, 08 Dec 2015 13:27:16 GMT

i'm running 2k8R2

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jhingley — Tue, 08 Dec 2015 13:31:01 GMT

Ok - I have just installed the forwarder on our Domain Controller (W2K12 r1) , it sends 'system' and 'application' but not 'security ' - even though I selected the same settings as the previous server . There is plenty of space on the indexer , and again I cant find a specific error message within 'splunkd.log' to pinpoint why certain event logs are not being sent .

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Fri, 11 Dec 2015 13:07:41 GMT

So i have come to realise that splunk is horrible software.
The only way i can get it to work, is if i setup the Forwarders to be Deployment Clients, and then "Add data" from a Forwarder and select the client that's a deployment client.
Problem is, Once i a create a server class, the only way i can add to it is using the deployment*.conf on the server, which defeats the entire purpose of splunk IMO.
I want everything to be fully automated (i've got scripted install of the Forwarder via WSUS using LocalUpdatePublisher) and when installed i just want the data to be send to the Indexer.

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Fri, 11 Dec 2015 13:07:51 GMT

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jhingley — Fri, 11 Dec 2015 13:15:19 GMT

I have rolled back to 6.1.8 . Its working correctly with all three logs coming through . Trouble is we need the 'fixed' feature of data integrity (hashing of logs) for compliance that is in 6.3 .

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Fri, 11 Dec 2015 13:39:39 GMT

I know what you mean.
I tried 6.2.7 and it doesn't work there either for me.

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jhingley — Fri, 11 Dec 2015 14:14:11 GMT

Linux works seamlessly - have 6.3 running on all OEL boxes no problem . Out of interest are you running the Indexer on Windows or Linux ?

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Fri, 11 Dec 2015 14:19:21 GMT

its running on windows.
I think i just realized my issue, and i'm slightly embarrassed because it seems to simple.
I'm running Splunk Light for my indexer on windows, when you enable the addon for Windows (which you need to index windows logs) it creates a Separate wineventlog index. Apparently the ONLY way to get the Search to show this index is to manually specify it in the search "index=* host=xx" and then i can see all my source types.

It's probably been working the entire time. Now i need to find out how to include that index by default.

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jhingley — Fri, 11 Dec 2015 14:39:51 GMT

I tried 'index=_internal host=xxxxxx' but can only see 'metrics.log' and 'splunkd.log' in the source .

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Fri, 11 Dec 2015 14:55:32 GMT

OK, I'm running Splunk Light on windows, using the Universal Forwarders, NOT using Deployment server setting, but the Index Forwarder setting.
So my problem was the fact that the Splunk Light be Default, only searches the Main and OS Indexes. Me being New to Splunk, this was very frustrating as i didn't know that.
Once you enable the Windows Addon (which you need) it creates a wineventlog index. All of the data from windows goes into those indexes (Application, System, Security only).
The only way to get this data to show, would be to search using "index=* host=bla" to see the data i was expecting to see.

I created a "authorize.conf" under Splunk/etc/system/local/ and added this to the file:

[role_admin]
srchIndexesDefault = *

restarted Splunk Light.

Now everything shows up by default, and all my hosts show up with the correct information.

Not sure if this is your issue, but i wanted to share mine since they were "similar"

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jagould — Fri, 11 Dec 2015 14:57:03 GMT

I created a "authorize.conf" under Splunk/etc/system/local/ and added this to the file:

[role_admin]
srchIndexesDefault = *

restarted Splunk Light.

Now everything shows up by default, and all my hosts show up with the correct information.

Not sure if this is your issue, but i wanted to share mine since they were "similar"

Re: After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

jhingley — Fri, 11 Dec 2015 15:10:29 GMT

Many thanks for that - will give it a go and report back .