Getting Data In
Highlighted

How do I edit my configurations to monitor Windows event logs using Splunk Cloud?

Path Finder

After 2 days of reading numerous help docs and watching tutorial videos, still not able to get Splunk Cloud monitoring a simple event log of my Windows test-pc. Installing and de-installing the universal forwarder 10+ times, I am now on the edge of walking away from this Splunk puzzle. Splunkuniversforwarding service is running, splunkd process running, what next to check...

inputs.conf:

[default]
host = Asus-AP

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
<<

server.conf

[general]
serverName = Asus-AP
pass4SymmKey = xxxxxxxxxxxx

[sslConfig]
sslKeysfilePassword = xxxxxxxxxxxx

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
<<

deploymentcliet.conf:
[target-broker:deploymentServer]
targetUri = prd-p-7jmfcpd9xcqm.cloud.splunk.com:8089
<<

NO outputs.conf file (why? and where do I correct this? adding it manually?)

I missed a complete step by step video or document to make a simple working setup for Splunk Cloud monitoring the eventlog of a windows pc system. When starting to read help documentation and clicking on the relevant part, it opens a new page...in no time I have at least 10 pages open and still no answer...

some help is appreciated.
Regards
A.Pietersen

0 Karma
Highlighted

Re: How do I edit my configurations to monitor Windows event logs using Splunk Cloud?

Splunk Employee
Splunk Employee

Hello apietersen, I am sorry you are having trouble configuring Splunk to ingest data. Have you followed the steps outlined in the document below?
http://docs.splunk.com/Documentation/Forwarder/6.4.1/Forwarder/HowtoforwarddatatoSplunkCloud

0 Karma
Highlighted

Re: How do I edit my configurations to monitor Windows event logs using Splunk Cloud?

Path Finder

I think I have done all - still no succes, still have no idea how to troubleshoot this issue.

0 Karma
Highlighted

Re: How do I edit my configurations to monitor Windows event logs using Splunk Cloud?

Builder
  1. Are you receiving any internal logs in Splunk Cloud from your Forwarder?

  2. Do you have any outputs configured on your universal forwarder? The following command will list any outputs you have

    ./splunk cmd btool outputs list

Splunk Cloud should provide you with an outputs app to place on your universal forwarder.

0 Karma
Highlighted

Re: How do I edit my configurations to monitor Windows event logs using Splunk Cloud?

Path Finder

Trying to send some further info, again no karma enough. pff 😞 Hope this post is allowed. De-installed and installed universal forwarder again. (could not remove app and other stuff from de the cloud console)

Here is the output of splunk cmd btool outputs list
hope you can find something that solves this issue (note: I can always provide a remote session to our test-pc if needed)

C:\Program Files\SplunkUniversalForwarder\bin>splunk cmd btool outputs list
[syslog]
dropEventsOnQueueFull = -1
maxEventSize = 1024
priority = <13>
type = udp
[tcpout]
ackTimeoutOnShutdown = 30
autoLBFrequency = 30
blockOnCloning = true
blockWarnThreshold = 100
compressed = false
connectionTimeout = 20
defaultGroup = splunkcloud
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
forceTimebasedAutoLB = false
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
forwardedindex.filter.disable = false
heartbeatFrequency = 30
indexAndForward = false
maxConnectionsPerIndexer = 2
maxFailuresPerInterval = 2
maxQueueSize = auto
readTimeout = 300
secsInFailureInterval = 1
sendCookedData = true
sslQuietShutdown = false
tcpSendBufSz = 0
useACK = false
writeTimeout = 300
[tcpout:splunkcloud]
compressed = false
disabled = false
server = xxxxxxx.cloud.splunk.com:9997
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslCommonNameToCheck = input-prd-p-7jmfcpd9xcqm.cloud.splunk.com
sslPassword = xxxxxxxx
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

C:\Program Files\SplunkUniversalForwarder\bin>

regards
apietersen

0 Karma
Highlighted

Re: How do I edit my configurations to monitor Windows event logs using Splunk Cloud?

Builder
  1. You have the Cloud Outputs App installed which is good news.
  2. I am able to telnet to input-prd-p-7jmfcpd9xcqm.cloud.splunk.com on port 9997 so it's at least listening to receive data on the other end. I won't be able to test sending anything as your outputs app has an SSL Cert. Can you also try to telnet to input-prd-p-7jmfcpd9xcqm.cloud.splunk.com on port 9997 from your host to make sure you don't have a pesky outbound firewall rule in the way?
  3. Have you verified you're not receiving any internal logs for that host already? you should be able to search index=_internal host=<your_host_name> OR host=<your_host_ip>
  4. Can you look at your splunkd.log for errors? C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log. If you're unsure what you're looking at try and paste some of the most recent lines and see if any errors are sticking out in there.
0 Karma