Getting Data In

How do you get data into Splunk Enterprise with a universal forwarder?

bwouters
Path Finder

I installed a Splunk Enterprise 7.0 on a Unix machine and wish to get data from a Windows machine (any data would suffice for now since I'm new to Splunk, trying to grasp the concept of it all)

Some configs I did using the documentation available:
Splunk Enterprise server (unix system)
$ cat inputs.conf
[default]
host = SPLUNK

[splunktcp://9997]
disabled = 0

Splunk Universal Forwarder (Windows Server machine)
-> splunk add forward-server :9997
-> splunk set deploy-poll :9997
-> Added some config in 'inputs.conf'

Windows platform specific input processor.

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[monitor:///apache/*.log]
disabled = 0

-> splunk enable eventlog System
Specified input collection has been enabled

Now I want to add a Forwarder using the Splunk Web on my Enterprise system.
I log on to the website, select 'Add data' > 'Forward' > 'There are currently no forwarders configured as deployment clients to this instance.'
Not sure what I'm doing wrong. However, when I search for data, I do see some results there from the Windows machine!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

View solution in original post

gcusello
Esteemed Legend

Hi bwouters,
To take windows logs, I suggest to use Splunk_TA_Windows that contains all the configurations to take windows logs.
This TA is available at https://splunkbase.splunk.com/app/742/ and contains all inputs and scripts to take windows logs, you have only to enable them in inputs.conf putting disabled=0 in the stanzas you like.

Bye.
Giuseppe

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

martin_mueller
SplunkTrust
SplunkTrust

The outputs.conf is fine, as you've said yourself - you see events from that machine indexed.

Deployment client config is stored in deploymentclient.conf (duh), the CLI command creates the file in etc/system/local.

0 Karma

bwouters
Path Finder

It's working now, after changing the port to 8089.
I guess the system needed a bit more time to process the change.

Thanks for informing me about the port!

0 Karma

bwouters
Path Finder

I executed the command again with different port (8089) but without success.
Is there a specific config file I can check to make sure it has changed?

I checked the output.conf file on etc/system/local
It contains the following

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = IP:9997

[tcpout-server://IP:9997]

-> Is this even the correct place to look?

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...