Deployment Architecture

Windows Forwarder not collecting EventLogs


"When the installer prompts you to specify inputs, enable the event log inputs by checking the "Event logs" checkbox."

  • I also pushed inputs.conf for eventlog collection via deployment server with the below stanza. [WinEventLog://Application] disabled=0 [WinEventLog://Security] disabled=0 [WinEventLog://System] disabled=0

Eventlog data is not getting collected. Also there is no output for the host on the Search Head.

1) I noticed this error in the splunkd.log on the windows forwarder and I'm not aware of this error, also couldn't find much info on Splunk docs / splunk answers. All I did was installing the forwarder on the host. I never set up any cron for the splunk exe process and Im unable to figure out this error.

Could someone please guide:

08-01-2017 06:26:04.223 -0400 ERROR ExecProcessor - message from ""E:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza get-networklatency. Invalid cron schedule: 0*/5***?

2) Also Am I missing out an any steps for configuring the windows forwarder Eventlog collection?

0 Karma

Splunk Employee
Splunk Employee

Start it over. Reinstall the forwarder and accept defaults. Only set the deployment server values during the install. Then make sure the respective apps are installed from the deployment server. If not, then start there.

Also, make sure you have network connectivity between this endpoint and the indexers as well as the deployment server. I've seen many hours wasted on Splunk when it turns out it's just a networking blockage.

0 Karma