Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

KulvinderSingh
Path Finder
‎11-26-2021 02:03 AM

hi All,

I need to send windows event logs from Splunkforwarder to Indexers via a heavyforwarder.

I have done some configuration but it seems like something is incorrect as I am getting cooked data in splunk instead of logs.

All the help is appreciated.

 

regards,

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 02:38 AM

You have tcp: on HF, as I said. You need to send from UF to HF on splunktcp input.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

KulvinderSingh
Path Finder
‎11-26-2021 02:29 AM

Splunk forwarder: outputs.conf

[tcpout]
defaultGroup=xxxhf

 

[tcpout:xxxhf]
autoLBFrequency=40
server=x.x.x.x:xxxx
useACK=true
indexandforward=false

 

Heavy forwarder : inputs.conf

[tcp://xxxxx]

sourcetype=WinEventLog
index=xxxxx
disabled = 0

inputs on indexers : 

[splunktcp:xxxx]

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 02:38 AM

You have tcp: on HF, as I said. You need to send from UF to HF on splunktcp input.

0 Karma
Reply
Solved! Jump to solution

KulvinderSingh
Path Finder
‎11-26-2021 02:45 AM

Okay got it, I have changed it to splunktcp on forwarder and even I can read the logs in splunk SH but still sourcetype of logs is coming in as xmlWinEventlog instead of WinEventLog. I have the SpluK_TA_Windows on indexers as well as on HF and SF. But this I think is close to resolving the issue if i can just sort this small thing.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 05:47 AM

You define the sourcetype and whether you want the events rendered as xml or in "old format" in inputs.conf

0 Karma
Reply
Solved! Jump to solution

KulvinderSingh
Path Finder
‎11-26-2021 06:20 AM

so you mean to say in splunkforwarder inputs.conf i should set renderXML = false and that should fix it or will i have to do that everywhere like on SF,HF,IX all 3 places? sorry doing this for the first time. Getting windows logs is easiest of all but the way i am trying its looking very difficult.

 

thanks in advance.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 07:28 AM

OK. Baby steps 🙂

In the inputs.conf file on the UF you set how you want the events from the EventLog pulled - as XML or not.

Then you send it to HF, which sends data to indexer(s).

The app installed on the SH-s are responsible for search-time extractions.

I don't remember if the TA for windows does any index-time data modifications - you have to check the docs. If it does, you'd also need it on the HF. But I don't recall installing it there.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 02:18 AM

We don't know your config but I'd dare to guess that you're sending to tcp: input instead of splunktcp: one.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...