Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

No events from Universal Forwarder

aly347774
Loves-to-Learn Lots
‎01-21-2024 11:12 PM

I installed Universal Forwarder On Linux Machine and integrate it with Splunk , but their is no logs returned on Splunk Search Head ,  as per your Knowledge I`m currently working on distributed Splunk Enterprise .

 

Any Recommendations ?

Labels (2)
0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:33 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 02:37 AM

OK. You downloaded and installed the UF. I assume you started it as well. But as you are apparently using a Deployment Server, did you configure your UF to connect to that DS?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 10:28 PM

I have specified a specific index so that we can send the logs to it, but when I search in the search head, there are no logs found.
Do I have to specify anything in the Input.conf file?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 12:28 AM

What do you mean by "I integrated my UF with Splunk"?

Also the usual questions.

1. Do you have _any_ events from this forwarder (especially forwarder's own logs in _internal index) in your Splunk?

2. Do you have connectivity from your UF to your receiving component(s)? Did you verify it manually?

3. Did you check your forwarder's logs ($SPLUNK_HOME/var/log/splunk/splunkd.log) for errors?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:36 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 11:05 AM

OK. Maybe you misunderstand how Splunk works. You don't "connect splunk to a linux server". You install UF on a server and (and that might be one of the parts you're missing) you're making it send events to Splunk.

So, did you verify any of those things I asked you earlier?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...