Getting Data In

After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

tmontney
Builder

I installed the Universal Forwarder using the MSI, specified server info, but didn't check any boxes for wineventlog and such. I can see the PC checking in on the Splunk server, but it's not receiving any data. This is my ...\etc\system\local\inputs.conf

[default]
host = PBDC-LT-16

[WinEventLog:System]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Security]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Application]
interval=60
index=wineventlog
disabled=0
0 Karma
1 Solution

gneumann_splunk
Splunk Employee
Splunk Employee

Here's a similar situation on Answers that might help resolve your issue:
https://answers.splunk.com/answers/98072/not-receiving-data-from-windows-forwarder.html

In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."

View solution in original post

gneumann_splunk
Splunk Employee
Splunk Employee

Here's a similar situation on Answers that might help resolve your issue:
https://answers.splunk.com/answers/98072/not-receiving-data-from-windows-forwarder.html

In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."

tmontney
Builder

If I configure Splunk server to get the data, it works. I'm feeling it's just wrong config rather than ports or firewalls. I'll take a look though.

0 Karma

tmontney
Builder

My apology, it is working actually. I was basing it off the "Last Updated" section of the Search page. It was looking for the hostname rather than the hostname's FQDN (treating them as separate hosts).

gneumann_splunk
Splunk Employee
Splunk Employee

Great to know it's working!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Is your outputs.conf pointing to your indexer? Did you restart the Splunk web service after making these changes?

0 Karma

tmontney
Builder

Yep, outputs.conf is fine. The inputs.conf file I'm referencing here is on the forwarder, not the server. Why would I restart the server?

0 Karma

gneumann_splunk
Splunk Employee
Splunk Employee

Try checking your universal forwarder installation against these instructions:
http://docs.splunk.com/Documentation/SplunkLight/6.5.0/GettingStarted/GettingdataintoSplunkLightusin...

tmontney
Builder

Very nice, I didn't realize this was an option. However, it's a bit light. The config files have far more options to configure, and I can't determine how to do that.

0 Karma

gneumann_splunk
Splunk Employee
Splunk Employee

Try the Splunk Enterprise Getting Data In manual, which has more information:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/AboutWindowsdataandSplunk

0 Karma

gneumann_splunk
Splunk Employee
Splunk Employee

More specific instructions for event log monitoring and universal forwarder config info using Windows:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowseventlogdata

0 Karma

tmontney
Builder

Again, I have followed that. I have changed /etc/system/local/inputs.conf to the config shown above, on the local forwarder. I restarted the Splunk Forwarder service, and did not see any change.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...