https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294092#M55895 <P>Hello all, I can't seem to get the windows universal forwarder to forward data.<BR /> - Splunk indexer (7.x.x) is on CentOS7, 8089 and 9997 open on firewall<BR /> - Latest Splunk forwarder installed on windows 10<BR /> - Did not go into customize on windows installer GUI, but did put the win event stanza from documentation into the forwarder inputs.conf (system local).<BR /> - opened 9997 data input in webui<BR /> - Turned off windows firewall for troubleshooting.<BR /> - Downloaded various windows apps/add-ons to splunk indexer thinking it was a deployment thing</P> <P>What am I missing?</P> Wed, 22 Nov 2017 22:05:38 GMT ShaunBaker 2017-11-22T22:05:38Z https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294092#M55895 <P>Hello all, I can't seem to get the windows universal forwarder to forward data.<BR /> - Splunk indexer (7.x.x) is on CentOS7, 8089 and 9997 open on firewall<BR /> - Latest Splunk forwarder installed on windows 10<BR /> - Did not go into customize on windows installer GUI, but did put the win event stanza from documentation into the forwarder inputs.conf (system local).<BR /> - opened 9997 data input in webui<BR /> - Turned off windows firewall for troubleshooting.<BR /> - Downloaded various windows apps/add-ons to splunk indexer thinking it was a deployment thing</P> <P>What am I missing?</P> Wed, 22 Nov 2017 22:05:38 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294092#M55895 ShaunBaker 2017-11-22T22:05:38Z https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294093#M55896 <UL> <LI>is your outputs.conf correctly set up to forward data to the indexer?</LI> <LI>install the Splunk Add-on for Windows on the universal forwarder: <A href="https://splunkbase.splunk.com/app/742/">https://splunkbase.splunk.com/app/742/</A> The steps to install this on the universal forwarder are listed here: <A href="https://docs.splunk.com/Documentation/WindowsAddOn/4.8.4/User/InstalltheSplunkAdd-onforWindows#Install_the_add-on_on_a_universal_forwarder">https://docs.splunk.com/Documentation/WindowsAddOn/4.8.4/User/InstalltheSplunkAdd-onforWindows#Install_the_add-on_on_a_universal_forwarder</A></LI> </UL> <P>The Add-on has all the right configuration to ingest windows events. This needs to be installed on the universal forwarder so that the forwarder knows what information to push to the indexer.</P> <P>Typically, a deployment server is used to push this configuration to the universal forwarders. You can read more about them here:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver">http://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver</A></P> Wed, 22 Nov 2017 22:58:35 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294093#M55896 mtulett_splunk 2017-11-22T22:58:35Z https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294094#M55897 <P>I have the splunk add-on for windows on the indexer, am I supposed to move it form apps to deployment apps so that it can be used for a server class?</P> Thu, 23 Nov 2017 01:25:47 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294094#M55897 ShaunBaker 2017-11-23T01:25:47Z https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294095#M55898 <P>I've updated my answer with a link to the installation guide for universal forwarders.</P> <P>You can place the Add-on in deployment apps, but you will need to configure the universal forwarder to poll the indexer for configuration, as well as creating a server class for the server (this can be achieved through conf files or the GUI).</P> <P>I would suggest reading the 'About deployment server' documentation from the link in my answer if you are curious about this, as the topic is too large to properly cover in an answer here.</P> Thu, 23 Nov 2017 02:18:09 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294095#M55898 mtulett_splunk 2017-11-23T02:18:09Z https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294096#M55899 <P>I think I got it working- I copied the windows add-on over to deployment-apps and already had the client showing up in forwarder manager, so created a server class, added the windows app and after a while the windows logs finally started rolling in.</P> Thu, 23 Nov 2017 08:09:23 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294096#M55899 ShaunBaker 2017-11-23T08:09:23Z https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294097#M55900 <P>Great to hear!</P> Thu, 23 Nov 2017 22:21:27 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-getting-the-Windows-universal-forwarder-to-forward-data/m-p/294097#M55900 mtulett_splunk 2017-11-23T22:21:27Z