Getting Data In

I have configured input.conf of splunk universal forwader but logs are receving with a delay of almost one hour.Unable to receive current logs

aqudoos
Explorer

My inputs.conf are mentioned below.

Make sure these get forwarded

[monitor://C:\Windows\System32\winevt\Logs\Security.evtx]
index=windowlogs

Please help.

0 Karma

FrankVl
Ultra Champion

Any reason you're ingesting windows logs like this, by pointing at the evtx files? I think Splunk documentation even explicitely mentions that you shouldn't read the live evtx file that is still being written to.

To ingest windows logs from the local machine, use the [WinEventLog://Security] input stanza. For details: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata

0 Karma

deepashri_123
Motivator

Hey@aqudoos,

Are the internal logs of the forwarder also delayed?

0 Karma

aqudoos
Explorer

NO.Internal logs of forwarder are not delayed.

0 Karma

p_gurav
Champion

Can you check the connectivity between forwarder and indexer? Also check indexing queue in monitoring console.

0 Karma

aqudoos
Explorer

Forwarder was installed on the same server where splunk enterprise was installed for testing purposes.

0 Karma

p_gurav
Champion

oh. Can you check _internal logs for error and check indexing queue in monitoring console?

0 Karma

aqudoos
Explorer

I am receiveing below mentioned error with high frequency.

ERROR TcpInputProc - Message rejected. Received unexpected message of size=174291836 bytes from src=x.x.x.x:12345 in streaming mode. Maximum message size allowed=63412458. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

0 Karma

p_gurav
Champion

Can you share configuration details of outputs.conf and deploymentclients.conf?

0 Karma

aqudoos
Explorer

I haven't configured outputs.conf as during installation I enter the deployment server and receiver indexer details.The same purpose will be done in ouput.conf if you didn't enter during installation.Other than input.conf I didn't changed any configuration.

Am I right or missing something.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...