Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I edit my configurations to monitor Windows event logs using Splunk Cloud?

apietersen
Contributor
‎05-25-2016 12:58 PM

After 2 days of reading numerous help docs and watching tutorial videos, still not able to get Splunk Cloud monitoring a simple event log of my Windows test-pc. Installing and de-installing the universal forwarder 10+ times, I am now on the edge of walking away from this Splunk puzzle. Splunkuniversforwarding service is running, splunkd process running, what next to check...

inputs.conf:

[default]
host = Asus-AP

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
<<

server.conf

[general]
serverName = Asus-AP
pass4SymmKey = xxxxxxxxxxxx

[sslConfig]
sslKeysfilePassword = xxxxxxxxxxxx

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
<<

deploymentcliet.conf:
[target-broker:deploymentServer]
targetUri = prd-p-7jmfcpd9xcqm.cloud.splunk.com:8089
<<

NO outputs.conf file (why? and where do I correct this? adding it manually?)

I missed a complete step by step video or document to make a simple working setup for Splunk Cloud monitoring the eventlog of a windows pc system. When starting to read help documentation and clicking on the relevant part, it opens a new page...in no time I have at least 10 pages open and still no answer...

some help is appreciated.
Regards
A.Pietersen

0 Karma
Reply

ryanoconnor
Builder
‎05-26-2016 06:42 PM

  1. Are you receiving any internal logs in Splunk Cloud from your Forwarder?

  2. Do you have any outputs configured on your universal forwarder? The following command will list any outputs you have

    ./splunk cmd btool outputs list

Splunk Cloud should provide you with an outputs app to place on your universal forwarder.

0 Karma
Reply

apietersen
Contributor
‎05-27-2016 03:29 AM

Trying to send some further info, again no karma enough. pff 😞 Hope this post is allowed. De-installed and installed universal forwarder again. (could not remove app and other stuff from de the cloud console)

Here is the output of splunk cmd btool outputs list
hope you can find something that solves this issue (note: I can always provide a remote session to our test-pc if needed) 

C:\Program Files\SplunkUniversalForwarder\bin>splunk cmd btool outputs list
[syslog]
dropEventsOnQueueFull = -1
maxEventSize = 1024
priority = <13>
type = udp
[tcpout]
ackTimeoutOnShutdown = 30
autoLBFrequency = 30
blockOnCloning = true
blockWarnThreshold = 100
compressed = false
connectionTimeout = 20
defaultGroup = splunkcloud
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
forceTimebasedAutoLB = false
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
forwardedindex.filter.disable = false
heartbeatFrequency = 30
indexAndForward = false
maxConnectionsPerIndexer = 2
maxFailuresPerInterval = 2
maxQueueSize = auto
readTimeout = 300
secsInFailureInterval = 1
sendCookedData = true
sslQuietShutdown = false
tcpSendBufSz = 0
useACK = false
writeTimeout = 300
[tcpout:splunkcloud]
compressed = false
disabled = false
server = xxxxxxx.cloud.splunk.com:9997
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslCommonNameToCheck = input-prd-p-7jmfcpd9xcqm.cloud.splunk.com
sslPassword = xxxxxxxx
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

C:\Program Files\SplunkUniversalForwarder\bin>

regards
apietersen

0 Karma
Reply

ryanoconnor
Builder
‎05-27-2016 06:08 AM
  1. You have the Cloud Outputs App installed which is good news.
  2. I am able to telnet to input-prd-p-7jmfcpd9xcqm.cloud.splunk.com on port 9997 so it's at least listening to receive data on the other end. I won't be able to test sending anything as your outputs app has an SSL Cert. Can you also try to telnet to input-prd-p-7jmfcpd9xcqm.cloud.splunk.com on port 9997 from your host to make sure you don't have a pesky outbound firewall rule in the way?
  3. Have you verified you're not receiving any internal logs for that host already? you should be able to search index=_internal host=<your_host_name> OR host=<your_host_ip>
  4. Can you look at your splunkd.log for errors? C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log. If you're unsure what you're looking at try and paste some of the most recent lines and see if any errors are sticking out in there.
0 Karma
Reply

phadnett_splunk
Splunk Employee
Splunk Employee
‎05-25-2016 10:14 PM

Hello apietersen, I am sorry you are having trouble configuring Splunk to ingest data. Have you followed the steps outlined in the document below?
http://docs.splunk.com/Documentation/Forwarder/6.4.1/Forwarder/HowtoforwarddatatoSplunkCloud

0 Karma
Reply

apietersen
Contributor
‎05-27-2016 03:04 AM

I think I have done all - still no succes, still have no idea how to troubleshoot this issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...