Deployment Architecture

Sending Windows Eventlogs from splunk forwarder via a heavyforwarder to indexers

KulvinderSingh
Path Finder

hi All,

I need to send windows event logs from Splunkforwarder to Indexers via a heavyforwarder.

I have done some configuration but it seems like something is incorrect as I am getting cooked data in splunk instead of logs.

All the help is appreciated.

 

regards,

 

Labels (3)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You have tcp: on HF, as I said. You need to send from UF to HF on splunktcp input.

View solution in original post

0 Karma

KulvinderSingh
Path Finder

Splunk forwarder: outputs.conf

[tcpout]
defaultGroup=xxxhf

 

[tcpout:xxxhf]
autoLBFrequency=40
server=x.x.x.x:xxxx
useACK=true
indexandforward=false

 

Heavy forwarder : inputs.conf

[tcp://xxxxx]

sourcetype=WinEventLog
index=xxxxx
disabled = 0

inputs on indexers : 

[splunktcp:xxxx]

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You have tcp: on HF, as I said. You need to send from UF to HF on splunktcp input.

0 Karma

KulvinderSingh
Path Finder

Okay got it, I have changed it to splunktcp on forwarder and even I can read the logs in splunk SH but still sourcetype of logs is coming in as xmlWinEventlog instead of WinEventLog. I have the SpluK_TA_Windows on indexers as well as on HF and SF. But this I think is close to resolving the issue if i can just sort this small thing.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You define the sourcetype and whether you want the events rendered as xml or in "old format" in inputs.conf

0 Karma

KulvinderSingh
Path Finder

so you mean to say in splunkforwarder inputs.conf i should set renderXML = false and that should fix it or will i have to do that everywhere like on SF,HF,IX all 3 places? sorry doing this for the first time. Getting windows logs is easiest of all but the way i am trying its looking very difficult.

 

thanks in advance.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. Baby steps 🙂

In the inputs.conf file on the UF you set how you want the events from the EventLog pulled - as XML or not.

Then you send it to HF, which sends data to indexer(s).

The app installed on the SH-s are responsible for search-time extractions.

I don't remember if the TA for windows does any index-time data modifications - you have to check the docs. If it does, you'd also need it on the HF. But I don't recall installing it there.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

We don't know your config but I'd dare to guess that you're sending to tcp: input instead of splunktcp: one.

0 Karma
Get Updates on the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...