All Apps and Add-ons

add on for windows on centos

jibin1988
Path Finder

Hi Splunkers,

I have installed my Splunk Enterprise as single instance on a Centos machine. I am trying to get logs from my Domain using Universal forwarder. I installed Splunk add on for windows on both domain and on Splunk. configured receiving port on Splunk as well. Still i am not getting logs on my Splunk server. Will Splunk add on for windows support centos machine? Kindly help on this.

Regards,
Jibin

Tags (1)
0 Karma
1 Solution

bjoernhansen
Path Finder

To answer your question:
Yes, Splunk is perfectly fine with Windows TA/windows data being sent to a Linux box running Splunk.
As FrankVI pointed out, you're most likely having a problem with either your inputs or outputs on the UF.
Try a search like index=_internal host=yourwindowshostname
If you debt get any results at all, your UF is missing a proper outputs.conf to actually forward the data to your Splunk instance.

EDIT: On the Windows machine, start a shell/CLI, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe list forward-server. If it shows no active forward, you might have a firewall issue.

View solution in original post

bjoernhansen
Path Finder

To answer your question:
Yes, Splunk is perfectly fine with Windows TA/windows data being sent to a Linux box running Splunk.
As FrankVI pointed out, you're most likely having a problem with either your inputs or outputs on the UF.
Try a search like index=_internal host=yourwindowshostname
If you debt get any results at all, your UF is missing a proper outputs.conf to actually forward the data to your Splunk instance.

EDIT: On the Windows machine, start a shell/CLI, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe list forward-server. If it shows no active forward, you might have a firewall issue.

jibin1988
Path Finder

Hi,

You are right mine its showing :

Active forwards:
None
Configured but inactive forwards:
192.168.xx.xx:9997
How can i solve it. without turning off firewall.

0 Karma

xpac
SplunkTrust
SplunkTrust

On your CentOS box, you could run tcpdump -i eth0 tcp port 9997 -nnto see if you actually get any traffic from your UF, or if maybe a firewall inbetween already drops that traffic.

You could contact your network admin, if available to help you troubleshoot this.

If my answer helped you, I'd be happy if you'd upvote/accept it 🙂

0 Karma

jibin1988
Path Finder

I am getting traffic to port 9997. i am getting syslogs from my firewall. But only windows logs i am not getting. Earlier i tried this on windows machine. I was getting logs without any issue. Please find my output.conf below :

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = 192.168.xx.xx:9997

[tcpout-server://192.168.xx.xxx:9997]

0 Karma

xpac
SplunkTrust
SplunkTrust

From the output of list forward-server I'd say that your config is okay, but somehow the connection fails. Could you do a search like index=_internal host=yourwindowshostname to see if you get/got anything at all from that UF?
Also, check the UFs splunkd.log for any error messages.

0 Karma

jibin1988
Path Finder

Got it bro. Its working. port 9997 was not open at centos 🙂 . Thank you.

FrankVl
Ultra Champion

Did you actually configure inputs and outputs on the universal forwarder on the windows machine?
Any errors in splunkd.log on the UF?

0 Karma

jibin1988
Path Finder

No There is no error on splunkd.log. Input and output.conf is fine.
Input.conf :

[default]
host = Server

Output.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.xx.xx:9997

[tcpout-server://192.168.xx.xx:9997]

splunkd.log last message :

04-29-2018 10:38:02.144 +0400 INFO loader - win-service: Starting as a Windows service: will run various system checks first...

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...