I have installed Splunk on a Linux box and is listening for incoming on 9997. Our linux boxes send its syslog to it and work fine.
The Windows boxes however do not send any event viewer logs. I installed SplunkForwarder on it and followed the prompts where I entered the Receiver server and port 9997. Also restarted the splunk service just in case.
What additional configurations are to be done to ensure Event Viewer logs/AD monitoring start to populate my Splunk sitting on the Linux box.
I'm able to telnet to 9997 from Windows to Linux so it is not an access issue.
When you installed the Splunk Universal Forwarder on the Windows system, did you check the appropriate check-boxes on the "Enable Windows Inputs" page near the end of the install?
If not, you'll need to enable them on the Windows systems "inputs.conf" file - link:see this page for details
TL;DR notes:
Edit the inputs.conf on the Windows system (usually C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf) and add these lines:
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
You'll need to restart the SplunkUniversalForwarder service on the Windows system. Your Splunk index should start receiving these events.
Hey, I am wondoring How Can I send Log files from linux to windows? I downloaded splunk in windows and forwarder in linux. I can telnet 9997 from linux to windows but I don't know how to send a files. can anybody help me with it?
When you installed the Splunk Universal Forwarder on the Windows system, did you check the appropriate check-boxes on the "Enable Windows Inputs" page near the end of the install?
If not, you'll need to enable them on the Windows systems "inputs.conf" file - link:see this page for details
TL;DR notes:
Edit the inputs.conf on the Windows system (usually C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf) and add these lines:
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
You'll need to restart the SplunkUniversalForwarder service on the Windows system. Your Splunk index should start receiving these events.
Installing on a different Windows box worked with the above settings. Thanks.
I am getting the logs by installing splunk universal forwarder on my server and by modifying inputs.conf as shown below
[WinEventLog://Security]
disabled = 0
but can somebody please tell me, that i need only event ids 6276 and 6278 only, not all events?
Did you read the following topics in the docs?
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata
/K
More details than "unable to install" would help.
i have tried doing this again on another Windows box and I'm unable to install the program that will forward logs to the Splunk box. Can someone help?
Thank you for these links. However, I see some things are missing here,
Configure remote event log monitoring
1. Click Settings in the upper right-hand corner of Splunk Web.
Under Data, click Data Inputs.
Click Remote event log collections.
Click Add new to add an input.
I do not see Remote event log collections under Data Inputs. Do I need to activate something on my Linux box Splunk to show this.