Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Cloud Not seeing Windows logs

sidnakvee
Explorer
‎08-11-2024 08:21 PM

Hi ,

 

I am new to Spunk just got Free Cloud Trial. I did the followings :

1- Logged in to Cloud trial instance

2- Created Index name winpc 

 3- App > Univeral forwarded and downloaded on Win PC

4- Installed Forwarded on WInPC during step on use this agent with selected use with cloud instance

5- Receiver index left blank had no idea about my splun instance FQDN /IP

6- Checked services Splunk universal forwarded service running as Logon As Local system

Issues :

1- No Logs I can see into index winpc created after waiting a hour or so

2- How can I tell forwarded to forward win and sysmon logs too should I edit inputs.conf file ?

 

Kindly guide and help so that I may get logs and learn any further .

 

Regards

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sidnakvee
Explorer
‎08-13-2024 06:06 AM

Hi,

 

Finally figured it out as cloud neded UF crednetial to be installed . So did that and no I see my logs . Thanks everyone for your support .

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2024 12:42 AM

Hi @sidnakvee ,

did you installed the Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742) on your pc?

in addition remember that, as @KendallW hinted, you need to enable the inputs you want, copying the inputs.conf from the default to the local folder.

In affition in these stanzas, you have to add the row:

index = winpc

There's another check that you could perform:

running this search:

index=_internal

and viewing the hosts, do you see the hostnames of your pcs?

Same procedure for sysmon:

download and install the Splunk Add-On for Sysmon (https://splunkbase.splunk.com/app/5709) on your pcs,

check the enablement state of the inputs and enable the ones you like, adding the index option.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

sidnakvee
Explorer
‎08-12-2024 10:44 AM

Hi @gcusello  thanks for you reply and help . Yes i did the followings:

1- Installed sysmon on my PC 

2- Installed Splunk forwarder on my PC 

3- Configured the inputs.conf by copying to 

4- Alread created index=winpc index on splunk 

5- Dont see my PC / hostname from index=_internal logs last 30 days only see splunk hostname

6- Do I need to install universal forwarder credentail packge i tried but its fails when try to run the given comand here on : https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/ConfigSCUFCredentials#Install_the_fo...

7- My splunk unversal forwarder was installed to C:\Program Files\SplunkUniversalForwarder and service is running. 

 

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2024 10:59 PM

Hi @sidnakvee ,

If you don't see any other host in _internal, this means that your pcs aren't connected to Splunk Cloud.

as descibed at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsingforwardingagentsCloud, you have to download the Splunk Forwarder app from Splunk Cloud that contains credentials and configurations to connect to your Splunk Cloud instance.

so the sequence of activity will be:

  • install, Splunk Universal Forwarder on your pc,
  • download and install the Splunk Forwarder app from your Splunk Cloud instance,
  • download and install Splunk _TA_Windows ad Splunk App for sysmon from apps.splunk.com.
  • enable wanted inputs in both the apps,
  • enable sysmon on your pc,
  • probably you need to restart Splunk on the Forwarder.

Let me know.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

sidnakvee
Explorer
‎08-13-2024 06:06 AM

Hi,

 

Finally figured it out as cloud neded UF crednetial to be installed . So did that and no I see my logs . Thanks everyone for your support .

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2024 08:27 AM

Hi @sidnakvee ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

KendallW
Contributor
‎08-11-2024 10:06 PM

Hi @sidnakvee
Welcome! I highly suggest checking out some of the free training offered by Splunk, especially this one about getting data into Splunk: https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/ledetail/cours000000000003373 

To answer your question, it sounds like you would like to send data from your local Windows machine to Splunk Cloud using the UF. To do this, you will indeed need to edit the inputs.conf file, for example:

[WinEventLog:Security]
disabled = 0

[WinEventLog:Application]
disabled = 0

[WinEventLog:System]
disabled = 0

[monitor://C:\Path\To\Sysmon\Logs]
disabled = 0

 Make sure to restart Splunk on the UF after making any changes, so that the changes are applied. 

Next, check that the UF is actually connected to your Splunk Cloud instance and forwarding its internal logs (index=_internal). If not, check the Splunk logs on the UF itself for any connectivity issues. The log files you want to check are "splunkd.log" and "metrics.log" located in ...\splunkforwarder\var\log\splunk\.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
li.common.scroll-to.top