topic How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder? in Getting Data In

How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

chanamoluk — Sat, 17 Dec 2016 06:34:28 GMT

I want to send "wineventlog:security " logs to Heavy forwarder(KIWISERVER) and below are the configuration files that I have created on the Universal forwarder

inputs.conf:

[WinEventLog://Security]
disabled = 0
index = activedirectory
sourcetype=adlog_003

outputs.conf:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxx.xx.xxx.xx:9997

[tcpout-server://xxx.xx.xxx.xx9997]

When i see the "Splunkd" log it shows "Connected to idx=xxx.xx.xxx.xx:9997" but i'm unable to see the events in splunk search index=active*

sample **splunkd log file :**

12-17-2016 01:09:30.162 -0500 INFO  WatchedFile - File too small to check seekcrc, probably truncated.  Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log'.
12-17-2016 01:09:30.162 -0500 INFO  WatchedFile - Will begin reading at offset=424312 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log'.
12-17-2016 01:09:30.178 -0500 INFO  WatchedFile - File too small to check seekcrc, probably truncated.  Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log'.
12-17-2016 01:09:30.178 -0500 INFO  WatchedFile - Will begin reading at offset=854 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log'.
12-17-2016 01:09:30.287 -0500 INFO  TcpOutputProc - Connected to idx=xxx.xx.xxx.xx:9997

Please let me know what mistake I have done.....

Re: How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

tkomatsubara_sp — Sat, 17 Dec 2016 11:48:57 GMT

( I don't know why I can't add comment)

I'd like to suggest Just to monitor some file and send it to your index in order to identify the root cause.

Re: How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

mattymo — Sat, 17 Dec 2016 14:46:33 GMT

Are you searching from your searchhead or from the heavyforwarder?

can you see internal logs from the forwarder?

index=_internal host=<yourUF>

check metrics.log for your sourcetype. (sidenote: i don't think you need to be setting the sourcetype like that for a windows input, are you using any windows apps or TAs?)

index=_internal host=<yourUF> source=*metrics.log

check inputstatus on the forwarder using the splunk list inputstatus command (depends on uf version - 6.3 or 6.4+ i think?)

https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/AbouttheCLI

Re: How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

chanamoluk — Mon, 19 Dec 2016 14:51:20 GMT

i'm searching on "Heavy forwarder" and i cannot see internal logs as well.

i think this is a firewall issue?

Re: How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

coltwanger — Mon, 19 Dec 2016 19:12:43 GMT

I think the issue is you are forwarding your logs to the indexers, and the HF is not configured to search the data on the indexers. You need to search from the indexers themselves, or from a Search Head that has access to the data on the indexers.

Re: How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

mattymo — Tue, 20 Dec 2016 00:36:25 GMT

Yep, like coltwanger said,

if your HF is not set up for distributed search, you wont see the logs from there!

Check from the search head, ideally.