Hi Splunkers,
I have installed my Splunk Enterprise as single instance on a Centos machine. I am trying to get logs from my Domain using Universal forwarder. I installed Splunk add on for windows on both domain and on Splunk. configured receiving port on Splunk as well. Still i am not getting logs on my Splunk server. Will Splunk add on for windows support centos machine? Kindly help on this.
Regards,
Jibin
To answer your question:
Yes, Splunk is perfectly fine with Windows TA/windows data being sent to a Linux box running Splunk.
As FrankVI pointed out, you're most likely having a problem with either your inputs or outputs on the UF.
Try a search like index=_internal host=yourwindowshostname
If you debt get any results at all, your UF is missing a proper outputs.conf to actually forward the data to your Splunk instance.
EDIT: On the Windows machine, start a shell/CLI, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe list forward-server
. If it shows no active forward, you might have a firewall issue.
To answer your question:
Yes, Splunk is perfectly fine with Windows TA/windows data being sent to a Linux box running Splunk.
As FrankVI pointed out, you're most likely having a problem with either your inputs or outputs on the UF.
Try a search like index=_internal host=yourwindowshostname
If you debt get any results at all, your UF is missing a proper outputs.conf to actually forward the data to your Splunk instance.
EDIT: On the Windows machine, start a shell/CLI, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe list forward-server
. If it shows no active forward, you might have a firewall issue.
Hi,
You are right mine its showing :
Active forwards:
None
Configured but inactive forwards:
192.168.xx.xx:9997
How can i solve it. without turning off firewall.
On your CentOS box, you could run tcpdump -i eth0 tcp port 9997 -nn
to see if you actually get any traffic from your UF, or if maybe a firewall inbetween already drops that traffic.
You could contact your network admin, if available to help you troubleshoot this.
If my answer helped you, I'd be happy if you'd upvote/accept it 🙂
I am getting traffic to port 9997. i am getting syslogs from my firewall. But only windows logs i am not getting. Earlier i tried this on windows machine. I was getting logs without any issue. Please find my output.conf below :
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = 192.168.xx.xx:9997
[tcpout-server://192.168.xx.xxx:9997]
From the output of list forward-server
I'd say that your config is okay, but somehow the connection fails. Could you do a search like index=_internal host=yourwindowshostname
to see if you get/got anything at all from that UF?
Also, check the UFs splunkd.log
for any error messages.
Got it bro. Its working. port 9997 was not open at centos 🙂 . Thank you.
Did you actually configure inputs and outputs on the universal forwarder on the windows machine?
Any errors in splunkd.log on the UF?
No There is no error on splunkd.log. Input and output.conf is fine.
Input.conf :
[default]
host = Server
Output.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.xx.xx:9997
[tcpout-server://192.168.xx.xx:9997]
splunkd.log last message :
04-29-2018 10:38:02.144 +0400 INFO loader - win-service: Starting as a Windows service: will run various system checks first...