Hello,
I'm evaluating Splunk as a central syslog analyzer. So I've installed a free licensed indexer on a Ubuntu virtual machine. The problem is that I've installed the Universal Forwarder on a couple of Windows Servers (W2k3 32bits and W2k8 64bits, both servers in Spanish) and both sends events data correctly to the indexer, but no performance information. I've checked that with a Wireshark capture.
Could you please help me with this issue? I don't know if I should enable something to check performance data.
Thank you very much in advance.
Best regards.
Antonio de la Chica.
Try downloading the app Splunk for Windows: http://apps.splunk.com/app/272/
It includes documentation about the entire setup: http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows
And the TA that you put on the forwarder to gather the performance data: http://apps.splunk.com/app/742/
What's in your inputs.conf file regarding Perfmon inputs?
If you're using a localized version of Windows you may have to use localized names of Perfmon objects and counters as well.
I've installed the UF as local system user, and splunkd.exe and splunk-winevtlog.exe are running as SYSTEM procesess. I think splunk should collect WMI data and forward it to the indexer port 9997. I can't figure any problem in the indexer about a non domain user.
You might have trouble collecting WMI data without the indexer running as a windows domain user, but you should be able to send perfmon data from the forwarder.
Because I've only installed de UF on the Windows Machine pointing to the Ubuntu box, that indexes the data. Is it right?.
Right, the logs should be in splunk\var\logs\splunk\splunkd.log my mistake.
I have not encountered problems with w2k3 network, cpu, or memory logs.
Where are the input configurations located on your forwarders? Prior to 6.0 they would be in MSICreated\local
My server is a Windows Server 2003R2 Standard Edition.
Could you please indicate me if it is not supported or I've missed something?.
Thank you very much in advance.
Hello,
I haven't any directory named splunk\etc\apps\MSICreated\local, and logs are stored into D:\SplunkUniversalForwarder\var\log\splunk. I've checked the splukd.log, and there are two messages:
ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" wmain: Operating system major version 5, detected -- A minimum of 6 (VISTA/Server 2008) is required. Exitting.
ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-netmon.exe" splunk-netmon - Splunk network monitor is not available on this version of Windows.
The input configuration will be located in the splunk\etc\apps\MSICreated\local folder.
Check the logs on the forwarders in the splunk\etc\system\logs\splunk\splunkd.log for errors.
Hello,
I've selected all the performance checkboxes when I installed the forwarder. No more actions.
Thank you.
Are you sure the forwarders are configured to send performance information?