Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

No events from Universal Forwarder

aly347774
Loves-to-Learn Lots
‎01-21-2024 11:12 PM

I installed Universal Forwarder On Linux Machine and integrate it with Splunk , but their is no logs returned on Splunk Search Head ,  as per your Knowledge I`m currently working on distributed Splunk Enterprise .

 

Any Recommendations ?

Labels (2)
0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:33 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 02:37 AM

OK. You downloaded and installed the UF. I assume you started it as well. But as you are apparently using a Deployment Server, did you configure your UF to connect to that DS?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 10:28 PM

I have specified a specific index so that we can send the logs to it, but when I search in the search head, there are no logs found.
Do I have to specify anything in the Input.conf file?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 12:28 AM

What do you mean by "I integrated my UF with Splunk"?

Also the usual questions.

1. Do you have _any_ events from this forwarder (especially forwarder's own logs in _internal index) in your Splunk?

2. Do you have connectivity from your UF to your receiving component(s)? Did you verify it manually?

3. Did you check your forwarder's logs ($SPLUNK_HOME/var/log/splunk/splunkd.log) for errors?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:36 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 11:05 AM

OK. Maybe you misunderstand how Splunk works. You don't "connect splunk to a linux server". You install UF on a server and (and that might be one of the parts you're missing) you're making it send events to Splunk.

So, did you verify any of those things I asked you earlier?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...