I am very new to Splunk and am trying to configure UF to send data to an indexer on port 9997. I have enabled the receiver in indexer instance. I have added [tcp://....DC IP Address:9997] and index = indexname in the inputs.conf file for UF found in $SPLUNK_HOME$/etc/system/local. I restarted splunkd services but am not getting any data coming to the specified indexer. The firewalls are OFF on the server. Indexer and UF are installed on the same server and this server is part of the domain controller. I apologize if I am not able to provide all the details as I do not have much understanding on it. Please let me know if you require any more information.
Also, when I try to stop splukd services, I get Error:1035 but the service stops and I can start it again.
Any help is much appreciated. Thank You!
You seem to have missed a few steps, but at the very least you need an outputs.conf as well as inputs.conf on the forwarder.
Take a read of:
Hi! I have the outputs.conf and it's showing the default group, tcpout-server and tcpout:default-group configurations. My indexer and UF instance are on the same machine and I am not using the UF as a deployment server. I want to use it it to forward data from the domain controllers.
I'm not sure I understand all of your comment.
Do you mean you have installed Splunk core on a server, AND installed Universal forwarder on the same host?
Sorry about that. I'm still new at this. Yes. I have windows server 2019 and I have installed splunk core and UF on the same system.
So there are some totaly valid reasons for doing that, but it does make things complicated - especially if this is a POC deployment.
Splunk Core (server) does 'work' on windows, but if this is a longer term deployment, you may want to consider Linux:
In any case, I am assuming that this is not installed on the Domain Controller, and that you plan to collect the logs from the domain controller remotely. Is that correct?
Do you know what logs/data you need to collect from the DC?
As of now, we want to go with Windows deployment. And you are correct. It's not installed on the domain controller and I do plan to collect logs from the domain controller remotely.
I do not know what logs exactly we want but we do need to see any file changes being made, login/logout info, any network issues, etc.
Well, you are limited to a few options.
Text based log files you can access remotely via a UNC share/mapped drive
Metrics and instrumentation you can pull from remote WMI
Windows Event Forwarding (WEF) - configuring WEF from your DC to your Splunk Host.
See: https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4 for more info on WEF.
If this is just POC, I would remove the UF you have deployed, and just use the copy of Splunk Core to collect all of the above (assuming it meets your needs).
A better solution is to install a UF on the DC, but I am aware this can sometimes be challenging conversation.
Yeah, I advised to install UF on the DC which would make it easier to collect logs. But that's not something we can do right now. We also need to get data from Dell and HP switches, etc. Any idea how to collect those? Also, does the port 9997 needs to be open at the DC to try and collect the logs or server port is fine? I am sorry if I sound stupid but it's all very new to me. Thanks!
No - 9997 will not be used on the DC at all.
All of the above will occur over the standard SMB/WMI ports your DC would already likely have open.