Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

No events from Universal Forwarder

aly347774
Loves-to-Learn Lots
‎01-21-2024 11:12 PM

I installed Universal Forwarder On Linux Machine and integrate it with Splunk , but their is no logs returned on Splunk Search Head ,  as per your Knowledge I`m currently working on distributed Splunk Enterprise .

 

Any Recommendations ?

Labels (2)
0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:33 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 02:37 AM

OK. You downloaded and installed the UF. I assume you started it as well. But as you are apparently using a Deployment Server, did you configure your UF to connect to that DS?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 10:28 PM

I have specified a specific index so that we can send the logs to it, but when I search in the search head, there are no logs found.
Do I have to specify anything in the Input.conf file?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 12:28 AM

What do you mean by "I integrated my UF with Splunk"?

Also the usual questions.

1. Do you have _any_ events from this forwarder (especially forwarder's own logs in _internal index) in your Splunk?

2. Do you have connectivity from your UF to your receiving component(s)? Did you verify it manually?

3. Did you check your forwarder's logs ($SPLUNK_HOME/var/log/splunk/splunkd.log) for errors?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:36 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 11:05 AM

OK. Maybe you misunderstand how Splunk works. You don't "connect splunk to a linux server". You install UF on a server and (and that might be one of the parts you're missing) you're making it send events to Splunk.

So, did you verify any of those things I asked you earlier?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...