Getting Data In

How do you get data into Splunk Enterprise with a universal forwarder?

bwouters
Path Finder

I installed a Splunk Enterprise 7.0 on a Unix machine and wish to get data from a Windows machine (any data would suffice for now since I'm new to Splunk, trying to grasp the concept of it all)

Some configs I did using the documentation available:
Splunk Enterprise server (unix system)
$ cat inputs.conf
[default]
host = SPLUNK

[splunktcp://9997]
disabled = 0

Splunk Universal Forwarder (Windows Server machine)
-> splunk add forward-server :9997
-> splunk set deploy-poll :9997
-> Added some config in 'inputs.conf'

Windows platform specific input processor.

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[monitor:///apache/*.log]
disabled = 0

-> splunk enable eventlog System
Specified input collection has been enabled

Now I want to add a Forwarder using the Splunk Web on my Enterprise system.
I log on to the website, select 'Add data' > 'Forward' > 'There are currently no forwarders configured as deployment clients to this instance.'
Not sure what I'm doing wrong. However, when I search for data, I do see some results there from the Windows machine!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi bwouters,
To take windows logs, I suggest to use Splunk_TA_Windows that contains all the configurations to take windows logs.
This TA is available at https://splunkbase.splunk.com/app/742/ and contains all inputs and scripts to take windows logs, you have only to enable them in inputs.conf putting disabled=0 in the stanzas you like.

Bye.
Giuseppe

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

martin_mueller
SplunkTrust
SplunkTrust

The outputs.conf is fine, as you've said yourself - you see events from that machine indexed.

Deployment client config is stored in deploymentclient.conf (duh), the CLI command creates the file in etc/system/local.

0 Karma

bwouters
Path Finder

It's working now, after changing the port to 8089.
I guess the system needed a bit more time to process the change.

Thanks for informing me about the port!

0 Karma

bwouters
Path Finder

I executed the command again with different port (8089) but without success.
Is there a specific config file I can check to make sure it has changed?

I checked the output.conf file on etc/system/local
It contains the following

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = IP:9997

[tcpout-server://IP:9997]

-> Is this even the correct place to look?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...