Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

No events from Universal Forwarder

aly347774
Loves-to-Learn Lots
‎01-21-2024 11:12 PM

I installed Universal Forwarder On Linux Machine and integrate it with Splunk , but their is no logs returned on Splunk Search Head ,  as per your Knowledge I`m currently working on distributed Splunk Enterprise .

 

Any Recommendations ?

Labels (2)
0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:33 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 02:37 AM

OK. You downloaded and installed the UF. I assume you started it as well. But as you are apparently using a Deployment Server, did you configure your UF to connect to that DS?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 10:28 PM

I have specified a specific index so that we can send the logs to it, but when I search in the search head, there are no logs found.
Do I have to specify anything in the Input.conf file?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 12:28 AM

What do you mean by "I integrated my UF with Splunk"?

Also the usual questions.

1. Do you have _any_ events from this forwarder (especially forwarder's own logs in _internal index) in your Splunk?

2. Do you have connectivity from your UF to your receiving component(s)? Did you verify it manually?

3. Did you check your forwarder's logs ($SPLUNK_HOME/var/log/splunk/splunkd.log) for errors?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:36 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 11:05 AM

OK. Maybe you misunderstand how Splunk works. You don't "connect splunk to a linux server". You install UF on a server and (and that might be one of the parts you're missing) you're making it send events to Splunk.

So, did you verify any of those things I asked you earlier?

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...