Getting Data In
Highlighted

After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Contributor

I installed the Universal Forwarder using the MSI, specified server info, but didn't check any boxes for wineventlog and such. I can see the PC checking in on the Splunk server, but it's not receiving any data. This is my ...\etc\system\local\inputs.conf

[default]
host = PBDC-LT-16

[WinEventLog:System]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Security]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Application]
interval=60
index=wineventlog
disabled=0
0 Karma
Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Splunk Employee
Splunk Employee

Try checking your universal forwarder installation against these instructions:
http://docs.splunk.com/Documentation/SplunkLight/6.5.0/GettingStarted/GettingdataintoSplunkLightusin...

Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Contributor

Very nice, I didn't realize this was an option. However, it's a bit light. The config files have far more options to configure, and I can't determine how to do that.

0 Karma

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Splunk Employee
Splunk Employee

Try the Splunk Enterprise Getting Data In manual, which has more information:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/AboutWindowsdataandSplunk

0 Karma
Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Splunk Employee
Splunk Employee

More specific instructions for event log monitoring and universal forwarder config info using Windows:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowseventlogdata

0 Karma
Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Contributor

Again, I have followed that. I have changed /etc/system/local/inputs.conf to the config shown above, on the local forwarder. I restarted the Splunk Forwarder service, and did not see any change.

0 Karma
Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

SplunkTrust
SplunkTrust

Is your outputs.conf pointing to your indexer? Did you restart the Splunk web service after making these changes?

0 Karma
Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Contributor

Yep, outputs.conf is fine. The inputs.conf file I'm referencing here is on the forwarder, not the server. Why would I restart the server?

0 Karma
Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Splunk Employee
Splunk Employee

Here's a similar situation on Answers that might help resolve your issue:
https://answers.splunk.com/answers/98072/not-receiving-data-from-windows-forwarder.html

In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."

View solution in original post

Highlighted

Re: After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

Contributor

If I configure Splunk server to get the data, it works. I'm feeling it's just wrong config rather than ports or firewalls. I'll take a look though.

0 Karma