Re: splunk for windows

jyo · ‎03-05-2014

Hi,
I have splunk 6.0.2 installed with Splunk app for Windows 5.0.2.I can see the windows events in the windows app.I want to forward the logs to syslog server on port 514.Can anyone please inform the steps to follow the same.Thanks.

jyo · ‎03-06-2014

I have turned off the firewall of windows and linux machines.Still no success.

Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.

Can u inform are any changes required in the conf files of universal forwarder.

Thanks

jyo · ‎03-06-2014

I have modified outputs.conf as below:
[syslog]

defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=10.211.210.140:514 # the IP of the Linux machine
type=udp

I have turned off the firewall of windows and linux machines.Still no success.

Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.

Can u inform are any changes required in the conf files of universal forwarder.

Thanks

jyo · ‎03-06-2014

I have modified outputs.conf as below:
[syslog]

defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=10.211.210.140:514 # the IP of the Linux machine
type=udp

I have turned off the firewall of windows and linux machines.Still no success.

Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.

Can u inform are any changes required in the conf files of universal forwarder.

Thanks

jyo · ‎03-05-2014

Hi Mus,

Thanks for the above post!! I have read the docs of forwarding the data to third party.Below is my current scenario:

I have modified the conf files in \etc\System\local

1.inputs.conf: [default] host = WIN-ICJS9A8T038 [WinEventLog:Security]
disabled = 0 start-from = oldest
current-only=0
evt-dc-name = evt-dns-name = evt-resolve-ad-obj = 0 checkpointinterval = 5

[WinEventLog:System]
disabled = 0 start-from = oldest
current-only=0
evt-dc-name = evt-dns-name = evt-resolve-ad-obj = 0 checkpointinterval = 5

2.outputs.conf: [syslog]

defaultGroup=mysyslog disabled = false [syslog:mysysloggroup] server=10.210.155.131:514 # the IP of the Linux machine type=udp

3.props.conf [WinEventLog:security] TRANSFORMS-routing = sendtosyslog

[Perfmon:Network Interface] TRANSFORMS-routing = sendtosyslog

[syslog] TRANSFORMS-routing = sendtosyslog

But i am unable to recieve the logs on linux machine.Cau you plz help to resolve the issue.

Thanks.

jyo · ‎03-06-2014

I have turned off the firewall of windows and linux machines.Still no success.

Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.

Can u inform are any changes required in the conf files of universal forwarder.??and what more to do to receive the logs on linux machine

Thanks

MuS · ‎03-06-2014

your outputs.conf looks strange, you're using a undefined name as defaultGroup. Try something like this in outputs.conf:

defaultGroup=mysyslog
disabled = false [syslog:mysyslog`]
server=10.210.155.131:514 # the IP of the Linux machine
type=udp

beside this, all the usual debugging can help here like running tcpdump on the indexer to see if there is something going out, check firewalls, routing and so on.....

MuS · ‎03-05-2014

Hi jyo,

you can find a perfect example in the docs about forward data to third party systems, it includes an example for syslog data.

cheers, MuS

splunk for windows

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor