Solved: Re: add on for windows on centos

jibin1988 · ‎04-29-2018

Hi Splunkers,

I have installed my Splunk Enterprise as single instance on a Centos machine. I am trying to get logs from my Domain using Universal forwarder. I installed Splunk add on for windows on both domain and on Splunk. configured receiving port on Splunk as well. Still i am not getting logs on my Splunk server. Will Splunk add on for windows support centos machine? Kindly help on this.

Regards,
Jibin

bjoernhansen · ‎04-29-2018

To answer your question:
Yes, Splunk is perfectly fine with Windows TA/windows data being sent to a Linux box running Splunk.
As FrankVI pointed out, you're most likely having a problem with either your inputs or outputs on the UF.
Try a search like index=_internal host=yourwindowshostname
If you debt get any results at all, your UF is missing a proper outputs.conf to actually forward the data to your Splunk instance.

EDIT: On the Windows machine, start a shell/CLI, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe list forward-server. If it shows no active forward, you might have a firewall issue.

View solution in original post

bjoernhansen · ‎04-29-2018

To answer your question:
Yes, Splunk is perfectly fine with Windows TA/windows data being sent to a Linux box running Splunk.
As FrankVI pointed out, you're most likely having a problem with either your inputs or outputs on the UF.
Try a search like index=_internal host=yourwindowshostname
If you debt get any results at all, your UF is missing a proper outputs.conf to actually forward the data to your Splunk instance.

EDIT: On the Windows machine, start a shell/CLI, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe list forward-server. If it shows no active forward, you might have a firewall issue.

jibin1988 · ‎04-29-2018

Hi,

You are right mine its showing :

Active forwards:
None
Configured but inactive forwards:
192.168.xx.xx:9997
How can i solve it. without turning off firewall.

xpac · ‎04-29-2018

On your CentOS box, you could run tcpdump -i eth0 tcp port 9997 -nnto see if you actually get any traffic from your UF, or if maybe a firewall inbetween already drops that traffic.

You could contact your network admin, if available to help you troubleshoot this.

If my answer helped you, I'd be happy if you'd upvote/accept it 🙂

jibin1988 · ‎04-29-2018

I am getting traffic to port 9997. i am getting syslogs from my firewall. But only windows logs i am not getting. Earlier i tried this on windows machine. I was getting logs without any issue. Please find my output.conf below :

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = 192.168.xx.xx:9997

[tcpout-server://192.168.xx.xxx:9997]

xpac · ‎04-29-2018

From the output of list forward-server I'd say that your config is okay, but somehow the connection fails. Could you do a search like index=_internal host=yourwindowshostname to see if you get/got anything at all from that UF?
Also, check the UFs splunkd.log for any error messages.

jibin1988 · ‎04-29-2018

Got it bro. Its working. port 9997 was not open at centos 🙂 . Thank you.

FrankVl · ‎04-29-2018

Did you actually configure inputs and outputs on the universal forwarder on the windows machine?
Any errors in splunkd.log on the UF?

jibin1988 · ‎04-29-2018

No There is no error on splunkd.log. Input and output.conf is fine.
Input.conf :

[default]
host = Server

Output.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.xx.xx:9997

[tcpout-server://192.168.xx.xx:9997]

splunkd.log last message :

04-29-2018 10:38:02.144 +0400 INFO loader - win-service: Starting as a Windows service: will run various system checks first...

add on for windows on centos

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor