hey,
I'm trying to get windows event logs (security , application ..etc.. ) to my Splunk server.
I installed Splunk universal forwarder and enabled the receiver to get on port 9997 (there is no firewall)
I see on the Splunk Web GUI that events are getting into Splunk. I try to search by host="server01"
, but it only returns the "splunkd" sourcetype.
if i go to settings -> data type -> forwarded inputs -> new, I get:
"There are currently no forwarders configured as deployment clients to this instance."
(don't know if its connected to my problem)
Please, what did I miss?
does the index = wineventlog
exist on your indexer?
do you mean on : settings - indexes ?
i just have the defaults
start with
_audit
end with
_summary
should i create a new one called
wineventlog ?
Yes, else those WinEventLogs
have no index to be stored
btw, where is your main
index? This should also be installed by default
i have main
i got 9 defaults indexes
i create a new one called "WinEventLogs "
still i dont get these security + application logs
your inputs.conf
has this setting index = wineventlog
NOT index = wineventlog*s*
THANKS
i think it worked 🙂
how do i disable the "splunkd" sourcetype ? its flood my server
you should not disable it, those are the Splunk internal messages. You will need them in case of any troubleshooting 😉
Thanks MuS!
i looked on another client Splunk server , it has no indexes called WinEventLogs .
i copy all the inputs.conf from the working server
update:
the "main" size is only 1 mb , maybe its connected ?
try searching like this for a start:
index=* earliest=0 latest=now
This will search all indexes over all time - if you don't see your events in this search, you should check if the receiving port is listening and the receiving index you configured in inputs.conf
on the forwarder does exist on the indexer. See docs for some more hints http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Receiverconnection
The deployment client GUI is only used if your deploy configuration files towards your universal forwarders.
i do get real time indexes
just from sourcetype = splunkd
"03-05-2015 12:05:32.215 +0000 INFO Metrics - group=tpool, name=batchreadertpool, qsize=0, workers=1, qwork_units=0
host: myserver source=C:\ProgramFiles\SplunkUniversalForwarder\var\log\splunk\metrics.log sourcetype = splunkd "
where are the application log , security log?
are the inputs enabled on the forwarder? please paste the inputs.conf from the forwarder with the settings for those event logs
from : "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local"
inputs.conf
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://Security]
disabled = 0
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
should i create inputs.conf on
"C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local" ?
No, looks good. Did you restart the the forwarder? What is reported if you run the following command:
"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd btool inputs list WinEventLog
ill update my conf file to:
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
blacklist = ccSvcHst.exe
whitelist = 4624,4634,4720,5156,5152
[WinEventLog://System]
disabled = 0
btool inputs list WinEventLog:
[WinEventLog]
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = Myserver
index = default
interval = 60
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = Myserver
index = wineventlog
interval = 60
renderXml = false
start_from = oldest
[WinEventLog://Security]
blacklist = ccSvcHst.exe
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 1
host = Myserver
index = wineventlog
interval = 60
renderXml = false
start_from = oldest
whitelist = 4624,4634,4720,5156,5152
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = Myserver
index = wineventlog
interval = 60
renderXml = false
start_from = oldest