Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: splunk for windows
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk for windows
Hi,
I have splunk 6.0.2 installed with Splunk app for Windows 5.0.2.I can see the windows events in the windows app.I want to forward the logs to syslog server on port 514.Can anyone please inform the steps to follow the same.Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have modified outputs.conf as below:
[syslog]
defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=10.211.210.140:514 # the IP of the Linux machine
type=udp
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have modified outputs.conf as below:
[syslog]
defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=10.211.210.140:514 # the IP of the Linux machine
type=udp
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mus,
Thanks for the above post!! I have read the docs of forwarding the data to third party.Below is my current scenario:
I have modified the conf files in \etc\System\local
1.inputs.conf:
[default]
host = WIN-ICJS9A8T038
[WinEventLog:Security]
disabled = 0
start-from = oldest
current-only=0
evt-dc-name =
evt-dns-name =
evt-resolve-ad-obj = 0
checkpointinterval = 5
[WinEventLog:System]
disabled = 0
start-from = oldest
current-only=0
evt-dc-name =
evt-dns-name =
evt-resolve-ad-obj = 0
checkpointinterval = 5
2.outputs.conf: [syslog]
defaultGroup=mysyslog disabled = false [syslog:mysysloggroup] server=10.210.155.131:514 # the IP of the Linux machine type=udp
3.props.conf [WinEventLog:security] TRANSFORMS-routing = sendtosyslog
[Perfmon:Network Interface] TRANSFORMS-routing = sendtosyslog
[syslog] TRANSFORMS-routing = sendtosyslog
But i am unable to recieve the logs on linux machine.Cau you plz help to resolve the issue.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.??and what more to do to receive the logs on linux machine
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your outputs.conf looks strange, you're using a undefined name as defaultGroup. Try something like this in outputs.conf:
defaultGroup=mysyslog
disabled = false
[syslog:
server=10.210.155.131:514 # the IP of the Linux machine
type=udp
beside this, all the usual debugging can help here like running tcpdump on the indexer to see if there is something going out, check firewalls, routing and so on.....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jyo,
you can find a perfect example in the docs about forward data to third party systems, it includes an example for syslog data.
cheers, MuS
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series: Splunk Observability Metrics Cost Optimization
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
