Sorry for this question as I know it is probably simple, but I can't figure it out. I have a single windows server running the splunk universal forwarder. I have tried to setup a data input (may not be necessary) to receive the information, TCP 5143, and then put it to a sourcetype of WinEventLog:Security and a new indexer, security_file_audit.
On my windows server where the universal forwarder is installed, I have setup the outputs.conf file to:
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://splunk1.patientfirst.com:5143]
[tcpout:default-autolb-group]
disabled = false
server = splunk1.patientfirst.com:5143
When I cycle the service I get errors
01-24-2018 14:11:04.109 -0500 WARN TcpOutputProc - Cooked connection to ip=10.0.103.210:5143 timed out
When I change from 5143
to 9997
though everything comes across though not to my new index, but rather to main.
Hopefully I am just doing something stupid. Can someone clarify where I am going wrong?
What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = splunk1.patientfirst.com:9997
inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>
Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.
What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = splunk1.patientfirst.com:9997
inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>
Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.