Solved: How to do new User-Setup Windows Event Logs from U...

ghostdog920 · ‎01-24-2018

Sorry for this question as I know it is probably simple, but I can't figure it out. I have a single windows server running the splunk universal forwarder. I have tried to setup a data input (may not be necessary) to receive the information, TCP 5143, and then put it to a sourcetype of WinEventLog:Security and a new indexer, security_file_audit.

On my windows server where the universal forwarder is installed, I have setup the outputs.conf file to:

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://splunk1.patientfirst.com:5143]

[tcpout:default-autolb-group]
disabled = false
server = splunk1.patientfirst.com:5143

When I cycle the service I get errors
01-24-2018 14:11:04.109 -0500 WARN TcpOutputProc - Cooked connection to ip=10.0.103.210:5143 timed out

When I change from 5143 to 9997 though everything comes across though not to my new index, but rather to main.

Hopefully I am just doing something stupid. Can someone clarify where I am going wrong?

mdsnmss · ‎01-24-2018

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

View solution in original post

mdsnmss · ‎01-24-2018

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

How to do new User-Setup Windows Event Logs from Universal Forwarder to Different Index?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation