Getting Data In

How to properly configure Universal Forwarder, located on the same machine as my Splunk instance?

aoliullah
Path Finder

Hi. I am trying to install an universal forwarder on the same machine as my Splunk instance just to see how Universal Forwarder (UF) works. I understand that you can collect the logs locally but just to understand how UF works I am trying to do it. I have followed the installation wizard and entered the receiver details as 127.0.0.1 and 9997 as the port. I left the deployment server details empty. I also configured receiver on the Indexer but I am still unable to see Windows event logs when searched. Could someone please help? I am new to Splunk.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Did you edit your inputs.conf to monitor the directory you want Splunk to ingest?

Under your Splunkforwarder home directory, go to etc/system/local and create an inputs.conf file and put the stanza below.. Make sure to substitute out the path to your file you want to monitor, give a sourcetype, and what index you want this data to go to. Also make sure you have the index defined before sending data there

[monitor//C:\PATH_TO_FILE]
 disabled=false
 sourcetype=YOUR_SOURCETYPE
 index=YOUR_INDEX

View solution in original post

0 Karma

ashishmaind2499
New Member

I am too facing same issue. I installed Splunk Universal Fwd and Splunk Enterprise on my C drive. I created a sample file and modified the inputs.conf as mentioned above and enabled the receiver by setting port to 9997. Do we have to modify/create outputs.conf file? I tried creating outputs.conf too..but no use. In outputs.conf I gave the server name as localhost. Am I missing something? Also, do we have to modify anything in distributed search? I assume my Splunk Enterprise is acting both as SH and Indexer.

0 Karma

lquinn
Contributor

Have you set up inputs on the forwarder, to tell it what to forward?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did you edit your inputs.conf to monitor the directory you want Splunk to ingest?

Under your Splunkforwarder home directory, go to etc/system/local and create an inputs.conf file and put the stanza below.. Make sure to substitute out the path to your file you want to monitor, give a sourcetype, and what index you want this data to go to. Also make sure you have the index defined before sending data there

[monitor//C:\PATH_TO_FILE]
 disabled=false
 sourcetype=YOUR_SOURCETYPE
 index=YOUR_INDEX
0 Karma

aoliullah
Path Finder

I had already chose windows event logs in the UF installation wizard. Wouldn't that configure it automatically? Do i need to do anything under data inputs?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes it should have, You can go to Settings>Data Inputs and see if there's anything for local event log collection, or you can go to splunkforwarder/etc/system/local and see if you have an inputs.conf with a stanza collecting your event logs.

You could also create a quick test by creating a temp folder on your C drive and creating a text file inside that folder. You should then add the stanza I provided above and point it to that text file you created. Restart the Splunk service after making changes and verify that Splunk ingests it

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorWindowseventlogdata

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...