Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do new User-Setup Windows Event Logs from Universal Forwarder to Different Index?

ghostdog920
Path Finder
‎01-24-2018 11:27 AM

Sorry for this question as I know it is probably simple, but I can't figure it out. I have a single windows server running the splunk universal forwarder. I have tried to setup a data input (may not be necessary) to receive the information, TCP 5143, and then put it to a sourcetype of WinEventLog:Security and a new indexer, security_file_audit.

On my windows server where the universal forwarder is installed, I have setup the outputs.conf file to:

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://splunk1.patientfirst.com:5143]

[tcpout:default-autolb-group]
disabled = false
server = splunk1.patientfirst.com:5143

When I cycle the service I get errors
01-24-2018 14:11:04.109 -0500 WARN TcpOutputProc - Cooked connection to ip=10.0.103.210:5143 timed out

When I change from 5143 to 9997 though everything comes across though not to my new index, but rather to main.

Hopefully I am just doing something stupid. Can someone clarify where I am going wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎01-24-2018 01:15 PM

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎01-24-2018 01:15 PM

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...