Getting Data In

After installing the universal forwarder on 30+ Windows hosts, why am I only getting Windows event logs from 2 of them?

gph12
Explorer

Hello,

I'm new to Splunk and hope someone can point me in the right direction. I installed Splunk Enterprise on a Windows server and applied the license. I installed the Splunk Universal Forwarder on 2 Windows servers. I enabled port 9997 on the Splunk server and added the Windows Events logs and logs started coming in from the two hosts.

I then proceeded to install the UF client on about 30 Windows 7 workstations and 10 Windows 2008 R2 server. Only log info from those first two servers is showing up in Splunk.

When I go to Data Inputs | Windows Event Logs | Add New, there are no other hosts listed that I can add.

The servers are on the same subnet as the Splunk server so no firewall is blocking traffic. From the command line, I ran the netstat command and it shows me a half dozen computers with established connections on port 9997 to the Splunk server. So I don't know what I'm missing.

I did get a message:

splunk received event for unconfigured/disabled index='wineventlog' with source='source::WineventLog:Security' host='host::Desktop5'sourcetype='sourcetype::WineventLog::Security' (1 missing total)  

I created an index called wineventlog and it began growing, but I still only see logs from the original two hosts.

I've been reading the documentation but not the right parts. I'd appreciate any help.

Thanks,

Greg

0 Karma

yannK
Splunk Employee
Splunk Employee
  • check the "host" name of the servers in the $PSLUNK_HOME/etc/system/local/inputs.conf, maybe do they have all the same name, and their events look like the same.

  • or check if splunk has permissions to collect the WinEventLogs on them.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you see events from those 30 (new) WIndodws machines for index=_internal on your Splunk Instance?? If you don't event see the _internal events, then there is configuration issues. Can you compare the outputs.conf file (I believe it should be $Splunk_Home\etc\system\local directory) or first 2 configured servers and new servers?

0 Karma

gph12
Explorer

Thanks for the response. On the clients I found the outputs.conf and deploymentclient.conf had a typo in the FQDN. I corrected that and restarted the Splunk UF service.The Splunk server now see log data from servers on the same subnet but not workstations on other subnets.

Netstat shows connections between the server and the workstations and our network guys say the ports are open so we're still looking into it.
Thanks,
Greg

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...