Deployment Architecture

Windows Forwarder not collecting EventLogs

saranya_fmr
Communicator

"When the installer prompts you to specify inputs, enable the event log inputs by checking the "Event logs" checkbox."

  • I also pushed inputs.conf for eventlog collection via deployment server with the below stanza. [WinEventLog://Application] disabled=0 [WinEventLog://Security] disabled=0 [WinEventLog://System] disabled=0

Eventlog data is not getting collected. Also there is no output for the host on the Search Head.

1) I noticed this error in the splunkd.log on the windows forwarder and I'm not aware of this error, also couldn't find much info on Splunk docs / splunk answers. All I did was installing the forwarder on the host. I never set up any cron for the splunk exe process and Im unable to figure out this error.

Could someone please guide:

08-01-2017 06:26:04.223 -0400 ERROR ExecProcessor - message from ""E:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza get-networklatency. Invalid cron schedule: 0*/5***?

2) Also Am I missing out an any steps for configuring the windows forwarder Eventlog collection?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Start it over. Reinstall the forwarder and accept defaults. Only set the deployment server values during the install. Then make sure the respective apps are installed from the deployment server. If not, then start there.

Also, make sure you have network connectivity between this endpoint and the indexers as well as the deployment server. I've seen many hours wasted on Splunk when it turns out it's just a networking blockage.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...