Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_windows / Universal Forwarder phoning home, not sending data?

semenko
New Member
‎10-17-2013 11:29 AM

I'm new to Splunk, and trying it out in a small environment of Windows 8 machines.

  • I have a Splunk frontend (collector?) running on Ubuntu, with a few Windows 8 clients.
  • I've deployed the Universal Forwarder via GPO to Windows 8 test machines
  • I installed the Splunk for Windows app on the Ubuntu collector (I see a cool Windows GUI on the :8000 interface now)
  • I've put the Splunk_TA_Windows app into the deplyoment_apps folder, and assigned it to the clients

Now the UI shows the apps are deployed (in the Forwarder Management panel), and clients are "Phoning Home" (cool!). However, I don't see any data being collected.

When I click on the "App: Windows" area in the :8000 gui, I don't see any events. Zero hosts, zero log names, etc.

Any thoughts on how to debug this?

Tags (1)
0 Karma
Reply

semenko
New Member
‎10-21-2013 08:30 AM

Ok, I think this ended up being a problem with Linux vs Windows line returns (e.g. adding ^M to the output.conf file on Linux before deployment).

Manually editing the output.conf file on a Windows machine (or adding ^M to line returns) solved this issue.

However, I can't seem to get splunk to re-deploy the new output.conf with ^M returns.

Q: How can I tell Splunk to re-deploy output.conf to the UniversalForwarders?

I've edited output.conf appropriately, and ran /opt/splunk/bin/splunk reload deploy-server

The clients are "phoning home" to the deployment server, but they don't have the correct output.conf that I see in deployment-apps/Splunk_TA_windows/default/

0 Karma
Reply

semenko
New Member
‎10-17-2013 12:40 PM

I added a 9997 receiver. I think the forwarders are sending to that port (I set the MSI option of DEPLOYMENT_SERVER and RECEIVING_INDEXER, so I think it should know where the server is).

How can I set the forwarders to forward from the Windows Event Log?

[I figured the Splunk_TA_windows application would forward data, as I copied the default example into the deplyoment_apps\Splunk_TA_windows\local\inputs.conf ]

0 Karma
Reply

antlefebvre
Communicator
‎10-17-2013 11:53 AM

And when you deployed the forwarders did you set them to forward from your windows event log?

0 Karma
Reply

antlefebvre
Communicator
‎10-17-2013 11:52 AM

Have you configured under settings -> forwarding and receiving ->receive data any listening ports? 9997 is the default. You would also want to make sure your universal forwarders are sending to that port.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...