Hi. I am trying to install an universal forwarder on the same machine as my Splunk instance just to see how Universal Forwarder (UF) works. I understand that you can collect the logs locally but just to understand how UF works I am trying to do it. I have followed the installation wizard and entered the receiver details as 127.0.0.1 and 9997 as the port. I left the deployment server details empty. I also configured receiver on the Indexer but I am still unable to see Windows event logs when searched. Could someone please help? I am new to Splunk.
Did you edit your
inputs.conf to monitor the directory you want Splunk to ingest?
Under your Splunkforwarder home directory, go to
etc/system/local and create an
inputs.conf file and put the stanza below.. Make sure to substitute out the path to your file you want to monitor, give a sourcetype, and what index you want this data to go to. Also make sure you have the index defined before sending data there
[monitor//C:\PATH_TO_FILE] disabled=false sourcetype=YOUR_SOURCETYPE index=YOUR_INDEX
I had already chose windows event logs in the UF installation wizard. Wouldn't that configure it automatically? Do i need to do anything under data inputs?
Yes it should have, You can go to Settings>Data Inputs and see if there's anything for local event log collection, or you can go to
splunkforwarder/etc/system/local and see if you have an
inputs.conf with a stanza collecting your event logs.
You could also create a quick test by creating a temp folder on your C drive and creating a text file inside that folder. You should then add the stanza I provided above and point it to that text file you created. Restart the Splunk service after making changes and verify that Splunk ingests it
Have you set up inputs on the forwarder, to tell it what to forward?
I am too facing same issue. I installed Splunk Universal Fwd and Splunk Enterprise on my C drive. I created a sample file and modified the inputs.conf as mentioned above and enabled the receiver by setting port to 9997. Do we have to modify/create outputs.conf file? I tried creating outputs.conf too..but no use. In outputs.conf I gave the server name as localhost. Am I missing something? Also, do we have to modify anything in distributed search? I assume my Splunk Enterprise is acting both as SH and Indexer.