Hi All,
Have installed Universal forwarder in my remote windows machine. Actually, have tried configuring ''Remote event Logs'' which was under ''Add Data''.
While configuring this, it's asking for the remote window machine name & while entering it's throwing the below error :
''Unable to get wmi classes from host 'XXYYZZ'. This host may not be reachable or WMI may be misconfigured''
Can anyone help on this to get my remote windows logs?
Thanks,
Ramu.R
If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).
If you want to collect the logs through the UF, then you shouldn't use Add Data -> Remote Windows Logs on your Enterprise instance (at least I assume that's where you were trying that?). You need to either configure the inputs locally on the UF, or by using forwarder management from an Enterprise instance (turning that into a Deployment Server for your UFs).
Hi Frank,
Have configured the inputs.conf file on my Universal Forwarder in my remote windows machine & restarted the forwarder, but after that also i m not getting any logs into my splunk enterprise instance. Please find the configuration as below :
[script ://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[monitor ://C :\logs\remote_access.log]
sourcetype = remote_access_logs
index = remotelogs
[WinEventLog ://Application]
index=remotelogs
[WinEventLog ://Security]
index=remotelogs
[WinEventLog ://System]
index=remotelogs
You need to remove the spaces from those stanzas. Also: have you configured the UF to forward to the Enterprise instance (and are its internal logs indeed coming through)?
Yes have configured & i m getting internal logs (Splunk Logs) from my remote windows machine. Anywazz let me try removing space between the stanzas.
To clarify what I meant, it should be: [WinEventLog://System]
not [WinEventLog ://System]
Got it, Thank You.
Please let me know the exact search query language to fetch the logs, actually i m using the below one :
index=''remotelogs'' sourcetype=''WinEventLog*'' (no results found for this)
You're not setting any sourcetype in inputs.conf. I'm not 100% if maybe some default config fixes that for windows events, but you might want to properly assign it in inputs.conf. Search for just the index=remotelogs
to see if the issue is with the sourcetype not being what you expect.
If the sourcetype is fine, you'll need to do some further troubleshooting.
Does that index exist on your enterprise instance?
Any errors/warnings in splunkd.log on the UF?
[default]
host=XXYYZZ
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0
[monitor://C:\Program Files]
[WinEventLog://Application]
index=''_internal''
[WinEventLog://Security]
index=''_internal''
[WinEventLog://System]
index=''_internal''
Index=_Internal
Received event for unconfigured/disabled/deleted index=''_internal'' with source="source::WinEventLog:System" host="host::XXYYZZ" sourcetype="sourcetype::WinEventLog:System". So far received events from 2 missing index(es).
Can we create new Index on Splunk Enterprise ??
Thanks a lot Mr.Frank, got worked , you rock man 🙂