Windows Universal Forwarder - Not Forwarding?

pmacdonald — Wed, 12 Oct 2022 14:51:01 GMT

I am tying to track down why my Windows Universal forwarder is not forwarding to the Splunk server/index. I can't seem to see anything for example in the past 24 hours and not sure why?

##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
##

###### OS Logs ######
[WinEventLog://Application]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

[WinEventLog://System]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
index = hostmonitoring
type = Computer

[WinHostMon://Process]
interval = 600
disabled = 0
index = hostmonitoring
type = Process

[WinHostMon://Processor]
interval = 600
disabled = 0
index = hostmonitoring
type = Processor

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
index = hostmonitoring
type = NetworkAdapter

[WinHostMon://Service]
interval = 600
disabled = 0
index = hostmonitoring
type = Service

[WinHostMon://Disk]
interval = 600
disabled = 0
index = hostmonitoring
type = Disk

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
index = perfmoncpu
instances = *

mode = multikv
object = Processor
useEnglishOnly=true

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
index = perfmonlogicaldisk
instances = *
interval = 60
mode = multikv
object = LogicalDisk
useEnglishOnly=true

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
index = perfmonphysicaldisk
instances = *
interval = 60
mode = multikv
object = PhysicalDisk
useEnglishOnly=true

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
index = perfmonmemory
interval = 60
mode = multikv
object = Memory
useEnglishOnly=true

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 0
index = perfmonnetwork
instances = *
interval = 60
mode = multikv
object = Network Interface
useEnglishOnly=true

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
index = perfmonprocess
instances = *
interval = 60
mode = multikv
object = Process
useEnglishOnly=true

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
index = perfmonprocessinfo
instances = *
interval = 60
mode = multikv
object = Processor Information
useEnglishOnly=true

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
index = perfmonsystem
instances = *
interval = 60
mode = multikv
object = System
useEnglishOnly=true

Re: Windows Universal Forwarder - Not Forwarding

gcusello — Wed, 12 Oct 2022 12:15:32 GMT

Hi @pmacdonald,

you have to troubleshhot your connection.

At first, have you results running

index=_internal host=<your_host>

index=* host=<your_host>

if yes the connection is ok and there's some input problem, if not, you have to check the connection between the forwarder and Indexers, e.g. using telnet.

Ciao.

Giuseppe

Re: Windows Universal Forwarder - Not Forwarding

pmacdonald — Wed, 12 Oct 2022 15:40:41 GMT

Hello,

Yes it was a DNS issue with the host in question....

Re: Windows Universal Forwarder - Not Forwarding

gcusello — Thu, 13 Oct 2022 06:27:23 GMT

Hi @pmacdonald,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

topic Re: Windows Universal Forwarder - Not Forwarding in Splunk Search

Windows Universal Forwarder - Not Forwarding?

Re: Windows Universal Forwarder - Not Forwarding

Re: Windows Universal Forwarder - Not Forwarding

Re: Windows Universal Forwarder - Not Forwarding