Getting Data In

Not able to see my windows client logs on Splunk Server

royalchandu
New Member

Hello,

I have splunk installed on CentOS and i want to monitor a log file which is located on a windows host D drive .

I have configured the forwarder on my windows client were i added that log file in data input.

can you please advise what i can do next so i can see those logs in my centOS based splunk server.

Thanks
Chandan

Tags (1)
0 Karma

steinb
Engager

I'm having a similar problem. Splunk server is installed and receives logs via syslog-ng server on the same host and also some logs from splunk forwarder installed on unix systems. I've installed the universal forwarder on a couple of windows hosts and can't get messages to show up. I can see the connection is active both on client and server (netstat). I can also see that something is gettight through, but it's unreadable:

--splunk-cooked-mode-v3-- \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xspv201vc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x008089\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x1\x00\x00\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00

This worked well in a test environment I set up, no idea why it doesn't here. There seems to be connectivity, so I'm currently working from the assumption there's something wonky with format of the data.

I will admit I'm a bit in over my head here (pretty new to splunk) and any pointers from Splunk Ninjas would be appreciated.

royalchandu
New Member

Below is the ethereal output of my splunk server my windows host IP is 10.20.30.191 .

tethereal -i any port 9997
Running as user "root" and group "root". This could be dangerous.
Capturing on Pseudo-device that captures on all interfaces
0.000000 172.16.10.4 -> 10.20.30.56 TCP 50761 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=2522376187 TSER=0 WS=2
3.019068 172.16.10.12 -> 10.20.30.56 TCP 44395 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951490862 TSER=0 WS=2
3.019953 172.16.10.12 -> 10.20.30.56 TCP 44396 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951490863 TSER=0 WS=2
3.020985 172.16.10.12 -> 10.20.30.56 TCP 44397 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951490864 TSER=0 WS=2
5.839795 172.16.10.6 -> 10.20.30.56 TCP 51269 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=2464781189 TSER=0 WS=7
6.018377 172.16.10.12 -> 10.20.30.56 TCP 44395 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951493862 TSER=0 WS=2
6.019417 172.16.10.12 -> 10.20.30.56 TCP 44396 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951493863 TSER=0 WS=2
6.020440 172.16.10.12 -> 10.20.30.56 TCP 44397 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951493864 TSER=0 WS=2
6.272273 172.16.10.8 -> 10.20.30.56 TCP 50072 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=401096443 TSER=0 WS=2
7.920443 172.16.10.5 -> 10.20.30.56 TCP 35892 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380
8.015665 172.16.10.12 -> 10.20.30.56 TCP 44400 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951495859 TSER=0 WS=2
8.840211 172.16.10.6 -> 10.20.30.56 TCP 51269 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=2464784190 TSER=0 WS=7
9.230324 10.20.30.191 -> 10.20.30.56 TCP 49521 > palace-6 [FIN, ACK] Seq=1 Ac k=1 Win=256 Len=0
9.230425 10.20.30.56 -> 10.20.30.191 TCP palace-6 > 49521 [FIN, ACK] Seq=1 Ac k=2 Win=229 Len=0
9.230545 10.20.30.191 -> 10.20.30.56 SMPP SMPP Cancel_sm
9.230551 10.20.30.56 -> 10.20.30.191 TCP palace-6 > 58418 [ACK] Seq=1 Ack=432 Win=1002 Len=0
9.230649 10.20.30.191 -> 10.20.30.56 TCP 49521 > palace-6 [ACK] Seq=2 Ack=2 W in=256 Len=0
9.230674 10.20.30.191 -> 10.20.30.56 TCP 49527 > palace-6 [SYN] Seq=0 Win=819 2 Len=0 MSS=1460 WS=8
9.230702 10.20.30.56 -> 10.20.30.191 TCP palace-6 > 49527 [SYN, ACK] Seq=0 Ac k=1 Win=14600 Len=0 MSS=1460 WS=6
9.230872 10.20.30.191 -> 10.20.30.56 TCP 49527 > palace-6 [ACK] Seq=1 Ack=1 W in=65536 Len=0
9.271718 172.16.10.8 -> 10.20.30.56 TCP 50072 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=401099443 TSER=0 WS=2
10.920291 172.16.10.5 -> 10.20.30.56 TCP 35892 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380
11.016066 172.16.10.12 -> 10.20.30.56 TCP 44400 > palace-6 [SYN] Seq=0 Win=584 0 Len=0 MSS=1380 TSV=951498859 TSER=0 WS=2
14.841321 172.16.10.6 -> 10.20.30.56 TCP 51269 > palace-6 [SYN] Seq=0 Win=5840 Le n=0 MSS=1380 TSV=2464790190 TSER=0 WS=7
15.228675 172.16.10.11 -> 10.20.30.56 TCP 55797 > palace-6 [SYN] Seq=0 Win=5840 Le n=0 MSS=1380 TSV=2524005403 TSER=0 WS=2
16.921152 172.16.10.5 -> 10.20.30.56 TCP 35892 > palace-6 [SYN] Seq=0 Win=5840 Le n=0 MSS=1380
18.228286 172.16.10.11 -> 10.20.30.56 TCP 55797 > palace-6 [SYN] Seq=0 Win=5840 Len=0 MSS=1380 TSV=2524008403 TSER=0 WS=2
21.000422 172.16.10.4 -> 10.20.30.56 TCP 50775 > palace-6 [SYN] Seq=0 Win=5840 Len=0 MSS=1380 TSV=2522397186 TSER=0 WS=2
24.000003 172.16.10.4 -> 10.20.30.56 TCP 50775 > palace-6 [SYN] Seq=0 Win=5840 Len=0 MSS=1380 TSV=2522400186 TSER=0 WS=2
24.228172 172.16.10.11 -> 10.20.30.56 TCP 55797 > palace-6 [SYN] Seq=0 Win=5840 Len=0 MSS=1380 TSV=2524014403 TSER=0 WS=2
^C30 packets captured.

Yes i am getting other events on my splunk server.

0 Karma

Ayn
Legend

Could you please paste your relevant inputs and outputs settings. Are you getting other events from the forwarder, just not these?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...