https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384722#M69167 <P>Is Splunk running as SYSTEM or as a user and if as a user does it have the required permissions to listen to ports on Windows?</P> <P>Have you checked splunkd.log when it starts up for "TcpInput" type components and if there are any issues it is reporting?</P> Fri, 20 Jul 2018 10:33:13 GMT lmaclean 2018-07-20T10:33:13Z https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384720#M69165 <P>I am trying to make UniversalForwarder on Windows Server 2008 R2 Standard act as a syslog data receiver and forward this data to the Indexer.<BR /> It seems that Splunk on this Windows machine does not handle incoming syslog data.<BR /> Below is config:<BR /> <EM>C:\SplunkUniversalForwarder\bin&gt;splunk.exe cmd btool inputs list udp<BR /> [udp]<BR /> _rcvbuf = 1572864<BR /> connection_host = ip<BR /> evt_dc_name =<BR /> evt_dns_name =<BR /> evt_resolve_ad_obj = 0<BR /> host = Splunk-gtw<BR /> index = default<BR /> [udp://514]<BR /> _rcvbuf = 1572864<BR /> connection_host = ip<BR /> evt_dc_name =<BR /> evt_dns_name =<BR /> evt_resolve_ad_obj = 0<BR /> host = Splunk-gtw<BR /> index = default</EM></P> <P><EM>C:\SplunkUniversalForwarder\bin&gt;netstat -apb UDP<BR /> Active Connections<BR /> Proto Local Address Foreign Address State<BR /> UDP 0.0.0.0:123 *:</EM><BR /> W32Time<BR /> [svchost.exe]<BR /> UDP 0.0.0.0:514 <EM>:</EM><BR /> [splunkd.exe]*</P> <P>I see data in Wireshark capture, but metrics.log shows this:<BR /> <EM>6-15-2018 13:23:12.395 +0300 INFO Metrics - group=queue, name=udp_queue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0<BR /> 06-15-2018 13:23:12.395 +0300 INFO Metrics - group=udpin_connections, *:514, sourcePort=514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00</EM></P> <P>Please advise what may be the source of the trouble</P> Tue, 29 Sep 2020 20:00:48 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384720#M69165 pkarpushin 2020-09-29T20:00:48Z https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384721#M69166 <P>Hi, did you ever resolve this issue? I am observing the same issue in my network at the moment.</P> Fri, 20 Jul 2018 05:49:37 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384721#M69166 splkmika1 2018-07-20T05:49:37Z https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384722#M69167 <P>Is Splunk running as SYSTEM or as a user and if as a user does it have the required permissions to listen to ports on Windows?</P> <P>Have you checked splunkd.log when it starts up for "TcpInput" type components and if there are any issues it is reporting?</P> Fri, 20 Jul 2018 10:33:13 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384722#M69167 lmaclean 2018-07-20T10:33:13Z https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384723#M69168 <P>No, unfortunately. I had to give up listening 514 udp on my Windows machine, and started monitoring log files on a remote machine instead.</P> Mon, 23 Jul 2018 07:09:45 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384723#M69168 pkarpushin 2018-07-23T07:09:45Z https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384724#M69169 <P>no worries. Thanks. Yeah I moved over to monitoring files on a separate syslog server as well.</P> Wed, 25 Jul 2018 00:12:58 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384724#M69169 splkmika1 2018-07-25T00:12:58Z https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384725#M69170 <P>tried running it as the default Windows LocalSystem account, so the permissions I think should be ok. I could also see the Universal Forwarder exe listening on udp 514 with a netstat -a -b.</P> <P>I've given up on this and just gone with using an external syslog server with a Universal Forwarder installed.<BR /> Thanks for your response.</P> Wed, 25 Jul 2018 00:16:09 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-UniversalForwarder-not-registering-Syslog-input/m-p/384725#M69170 splkmika1 2018-07-25T00:16:09Z