Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trouble getting the Windows universal forwarder to forward data

ShaunBaker
Path Finder
‎11-22-2017 02:05 PM

Hello all, I can't seem to get the windows universal forwarder to forward data.
- Splunk indexer (7.x.x) is on CentOS7, 8089 and 9997 open on firewall
- Latest Splunk forwarder installed on windows 10
- Did not go into customize on windows installer GUI, but did put the win event stanza from documentation into the forwarder inputs.conf (system local).
- opened 9997 data input in webui
- Turned off windows firewall for troubleshooting.
- Downloaded various windows apps/add-ons to splunk indexer thinking it was a deployment thing

What am I missing?

0 Karma
Reply

ShaunBaker
Path Finder
‎11-22-2017 05:25 PM

I have the splunk add-on for windows on the indexer, am I supposed to move it form apps to deployment apps so that it can be used for a server class?

0 Karma
Reply

mtulett_splunk
Splunk Employee
Splunk Employee
‎11-22-2017 06:18 PM

I've updated my answer with a link to the installation guide for universal forwarders.

You can place the Add-on in deployment apps, but you will need to configure the universal forwarder to poll the indexer for configuration, as well as creating a server class for the server (this can be achieved through conf files or the GUI).

I would suggest reading the 'About deployment server' documentation from the link in my answer if you are curious about this, as the topic is too large to properly cover in an answer here.

0 Karma
Reply

ShaunBaker
Path Finder
‎11-23-2017 12:09 AM

I think I got it working- I copied the windows add-on over to deployment-apps and already had the client showing up in forwarder manager, so created a server class, added the windows app and after a while the windows logs finally started rolling in.

0 Karma
Reply

mtulett_splunk
Splunk Employee
Splunk Employee
‎11-23-2017 02:21 PM

Great to hear!

0 Karma
Reply

mtulett_splunk
Splunk Employee
Splunk Employee
‎11-22-2017 02:58 PM

The Add-on has all the right configuration to ingest windows events. This needs to be installed on the universal forwarder so that the forwarder knows what information to push to the indexer.

Typically, a deployment server is used to push this configuration to the universal forwarders. You can read more about them here:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...