Getting Data In

After installing the universal forwarder on 30+ Windows hosts, why am I only getting Windows event logs from 2 of them?

gph12
Explorer

Hello,

I'm new to Splunk and hope someone can point me in the right direction. I installed Splunk Enterprise on a Windows server and applied the license. I installed the Splunk Universal Forwarder on 2 Windows servers. I enabled port 9997 on the Splunk server and added the Windows Events logs and logs started coming in from the two hosts.

I then proceeded to install the UF client on about 30 Windows 7 workstations and 10 Windows 2008 R2 server. Only log info from those first two servers is showing up in Splunk.

When I go to Data Inputs | Windows Event Logs | Add New, there are no other hosts listed that I can add.

The servers are on the same subnet as the Splunk server so no firewall is blocking traffic. From the command line, I ran the netstat command and it shows me a half dozen computers with established connections on port 9997 to the Splunk server. So I don't know what I'm missing.

I did get a message:

splunk received event for unconfigured/disabled index='wineventlog' with source='source::WineventLog:Security' host='host::Desktop5'sourcetype='sourcetype::WineventLog::Security' (1 missing total)  

I created an index called wineventlog and it began growing, but I still only see logs from the original two hosts.

I've been reading the documentation but not the right parts. I'd appreciate any help.

Thanks,

Greg

0 Karma

yannK
Splunk Employee
Splunk Employee
  • check the "host" name of the servers in the $PSLUNK_HOME/etc/system/local/inputs.conf, maybe do they have all the same name, and their events look like the same.

  • or check if splunk has permissions to collect the WinEventLogs on them.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you see events from those 30 (new) WIndodws machines for index=_internal on your Splunk Instance?? If you don't event see the _internal events, then there is configuration issues. Can you compare the outputs.conf file (I believe it should be $Splunk_Home\etc\system\local directory) or first 2 configured servers and new servers?

0 Karma

gph12
Explorer

Thanks for the response. On the clients I found the outputs.conf and deploymentclient.conf had a typo in the FQDN. I corrected that and restarted the Splunk UF service.The Splunk server now see log data from servers on the same subnet but not workstations on other subnets.

Netstat shows connections between the server and the workstations and our network guys say the ports are open so we're still looking into it.
Thanks,
Greg

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...