Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help configuring a domain controller on a universal forwarder to send data to indexer

rahulkumarfgf
Explorer
‎01-28-2020 09:26 AM

Hello Guys,
I am very new to Splunk and am trying to configure UF to send data to an indexer on port 9997. I have enabled the receiver in indexer instance. I have added [tcp://....DC IP Address:9997] and index = indexname in the inputs.conf file for UF found in $SPLUNK_HOME$/etc/system/local. I restarted splunkd services but am not getting any data coming to the specified indexer. The firewalls are OFF on the server. Indexer and UF are installed on the same server and this server is part of the domain controller. I apologize if I am not able to provide all the details as I do not have much understanding on it. Please let me know if you require any more information.

Also, when I try to stop splukd services, I get Error:1035 but the service stops and I can start it again.

Any help is much appreciated. Thank You!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-28-2020 11:08 AM

Well, you are limited to a few options.

Text based log files you can access remotely via a UNC share/mapped drive
Metrics and instrumentation you can pull from remote WMI
Windows Event Forwarding (WEF) - configuring WEF from your DC to your Splunk Host.
See: https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4 for more info on WEF.

If this is just POC, I would remove the UF you have deployed, and just use the copy of Splunk Core to collect all of the above (assuming it meets your needs).

A better solution is to install a UF on the DC, but I am aware this can sometimes be challenging conversation.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rahulkumarfgf
Explorer
‎01-28-2020 10:14 AM

As of now, we want to go with Windows deployment. And you are correct. It's not installed on the domain controller and I do plan to collect logs from the domain controller remotely.

I do not know what logs exactly we want but we do need to see any file changes being made, login/logout info, any network issues, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...