Getting Data In

How to do new User-Setup Windows Event Logs from Universal Forwarder to Different Index?

Path Finder

Sorry for this question as I know it is probably simple, but I can't figure it out. I have a single windows server running the splunk universal forwarder. I have tried to setup a data input (may not be necessary) to receive the information, TCP 5143, and then put it to a sourcetype of WinEventLog:Security and a new indexer, security_file_audit.

On my windows server where the universal forwarder is installed, I have setup the outputs.conf file to:

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://splunk1.patientfirst.com:5143]

[tcpout:default-autolb-group]
disabled = false
server = splunk1.patientfirst.com:5143

When I cycle the service I get errors
01-24-2018 14:11:04.109 -0500 WARN TcpOutputProc - Cooked connection to ip=10.0.103.210:5143 timed out

When I change from 5143 to 9997 though everything comes across though not to my new index, but rather to main.

Hopefully I am just doing something stupid. Can someone clarify where I am going wrong?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!