topic Re: Universal forwarder (Windows) does not send logs even though "active" in Getting Data In

Universal forwarder (Windows) does not send logs even though "active"

Sagar0511 — Tue, 08 May 2018 06:10:43 GMT

Hi Folks,

I am testing log forwarding using universal forwarder from Windows to Splunk but can't seem to receive any logs.
My test environment has Splunk Enterprise OVA (standalone) as server and Windows 2012 (with universal forwarder) as client.

Steps i followed (not necessarily in that order):

On Windows client (Universal forwarder):
* Installed Universal forwarder
* configured as deployment client
* Added firewall rule to allow destination port 9997
* checked using "splunk list forward-server" to confirm server is listed in "active" section

On Splunk OVA enterprise server
* Configured listening on port 9997 using web console
* Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs" (could see my desired deployment client in the list). Selected Application, security & system events
* Stopped iptables service (just to ensure its not blocking traffic)
* Followed this link to receive logs from forwarder

Testing:
* created user in windows (client) and checked local event logs. Local log can be seen in "Security" events
* Ran search in server (web console) to see this event. It says "no events found" for the specific index

Re: Universal forwarder (Windows) does not send logs even though "active"

FrankVl — Tue, 08 May 2018 07:47:42 GMT

check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server
check splunkd.log on both splunk instances for errors (+ are the internal logs from the UF getting forwarded to the Enterprise instance?)
search for All Time, to rule out timestamping/sync issues
confirm universal forwarder runs under an account that has permissions to read the event logs

Re: Universal forwarder (Windows) does not send logs even though "active"

Sagar0511 — Tue, 08 May 2018 10:38:48 GMT

check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server -->It is showing the index name which has been created.
check splunkd.log on both splunk instances for errors
In Splunk OVA(Linux System) --> WARN Tcpoutput - Forwarding the indexer group xxxxxx blocked for
xxxx seconds
In Windows System --> There is no error
Are the internal logs from the UF getting forwarded to the Enterprise instance? --> No
confirm universal forwarder runs under an account that has permissions to read the event logs --> checked and it is running as SYSTEM User.

Re: Universal forwarder (Windows) does not send logs even though "active"

FrankVl — Tue, 08 May 2018 11:35:16 GMT

Why is your indexer reporting warnings on tcpoutput to an indexer group? Or did this warning actually come from the windows box?

Re: Universal forwarder (Windows) does not send logs even though "active"

Sagar0511 — Thu, 10 May 2018 06:35:20 GMT

I was able to fix the mentioned problem which was I was facing (for solving the forwarder not sending the logs though it is "active") from one of the reference link

Thanks.