Getting Data In

How do you get data into Splunk Enterprise with a universal forwarder?

bwouters
Path Finder

I installed a Splunk Enterprise 7.0 on a Unix machine and wish to get data from a Windows machine (any data would suffice for now since I'm new to Splunk, trying to grasp the concept of it all)

Some configs I did using the documentation available:
Splunk Enterprise server (unix system)
$ cat inputs.conf
[default]
host = SPLUNK

[splunktcp://9997]
disabled = 0

Splunk Universal Forwarder (Windows Server machine)
-> splunk add forward-server :9997
-> splunk set deploy-poll :9997
-> Added some config in 'inputs.conf'

Windows platform specific input processor.

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[monitor:///apache/*.log]
disabled = 0

-> splunk enable eventlog System
Specified input collection has been enabled

Now I want to add a Forwarder using the Splunk Web on my Enterprise system.
I log on to the website, select 'Add data' > 'Forward' > 'There are currently no forwarders configured as deployment clients to this instance.'
Not sure what I'm doing wrong. However, when I search for data, I do see some results there from the Windows machine!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi bwouters,
To take windows logs, I suggest to use Splunk_TA_Windows that contains all the configurations to take windows logs.
This TA is available at https://splunkbase.splunk.com/app/742/ and contains all inputs and scripts to take windows logs, you have only to enable them in inputs.conf putting disabled=0 in the stanzas you like.

Bye.
Giuseppe

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

martin_mueller
SplunkTrust
SplunkTrust

The outputs.conf is fine, as you've said yourself - you see events from that machine indexed.

Deployment client config is stored in deploymentclient.conf (duh), the CLI command creates the file in etc/system/local.

0 Karma

bwouters
Path Finder

It's working now, after changing the port to 8089.
I guess the system needed a bit more time to process the change.

Thanks for informing me about the port!

0 Karma

bwouters
Path Finder

I executed the command again with different port (8089) but without success.
Is there a specific config file I can check to make sure it has changed?

I checked the output.conf file on etc/system/local
It contains the following

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = IP:9997

[tcpout-server://IP:9997]

-> Is this even the correct place to look?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...