Re: Windows_TA_addon inputs

tthonest · ‎07-28-2019

Unable to see any logs even after configuring inputs.conf under Splunk_TA_Windows > local.

I should at least see perfmon. here's my config to keep it basic.

[WinEventLog://Security]
disabled = 0
index = security
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=0

my logs are showing success to connecting to indexers but

07-28-2019 13:43:19.292 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed (splunk cloud)

tthonest · ‎07-29-2019

Hey Guiseppe,

apologies, to clarify...

07-29-2019 10:37:42.100 -0700 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0.
07-29-2019 10:37:58.589 -0700 WARN TcpOutputFd - Connect to x.x.x.x:8000 failed. No connection could be made because the target machine actively refused it.
07-29-2019 10:37:58.589 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed
07-29-2019 10:38:14.324 -0700 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_x.x.x.x_8089_ip-x-x-x-x-.ec2.internal_myWorkStation_...
07-29-2019 10:38:16.034 -0700 WARN TcpOutputFd - Connect to x.x.x.x:8000 failed. No connection could be made because the target machine actively refused it.
07-29-2019 10:38:16.034 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed

I've validated the logs, it does say 9997 is connected and to my multiple indexer clusters which is what I want. I dont know why it's trying to connect to my splunkcloud.com web UI, i just assume since it's failing i should make sure it's successfully establish a connection. Regardless I dont see logs under my splunk cloud instance at all.

my inputs file is quite straight forward...

inputs.conf (SPLUNKHOME\etc\apps\Splunk_TA_windows\local)
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

so when I go into SplunkCloud i expect to see index=* or index=security, i've manually created the index in splunk cloud already.

gcusello · ‎07-29-2019

Hi tthonest,
I don't think that the problem is in the inputs.conf but probably in outputs.conf.

At first check the connection (open ports) between your server and the Splunk cloud (using telnet).
Then what port did you configured to send logs from the forwarder to Splunk Cloud? I see 8000, but this is the web interface port, by default logs are sent using the 9997 port.
Check in your Splunk Cloud if you're receiving (probably not!) internal logs from the forwarder

index=_internal host=your_host

Bye.
Giuseppe

gcusello · ‎07-31-2019

Hi tthonest,
search outputs.conf in your installation, it must be present (I see in your logs "Connected to idx=x.x.x.x:9997"), otherwise you cannot send logs to indexers or Heavy Forwarders.
Bye.
Giuseppe

gcusello · ‎07-30-2019

Hi tthonest,
inputs.conf seems to be correct, so I think that the problem is somewhere else, probably outputs.conf.
You can debug configuration files using btool command https://docs.splunk.com/Documentation/Splunk/7.3.0/Troubleshooting/Usebtooltotroubleshootconfigurati...
Bye.
Giuseppe

tthonest · ‎07-30-2019

Hello, okay I dont see an outputs.conf file under local.

Windows_TA_addon inputs

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!