I am trying to setup my splunk enterprise 6.6.1 to be able to injest windows logs from remote pc's but not having much luck. I know I am missing something, or not comprehending something, but can't figure it out.
So far, I have configured the receiver on my indexer as TCP port 9997. I have installed the windows universal forwarder v. 7.0.0 on the windows PC i want to collect the logs from. I have enabled to collect both the system and application logs. I am seeing the following in my splunkd log file on the client where the universal forwarder is installed:
09-29-2017 08:58:23.417 -0400 INFO TcpOutputProc - Connected to idx=10.0.103.210:9997, pset=0, reuse=0.
09-29-2017 08:58:59.026 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.1.211.25_8089_bens-testbox.patientfirst.com_BENS-TESTBOX_FC09E8A3-4F3E-4CCC-BF5B-8C3D6884D2C4
09-29-2017 08:59:59.040 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.1.211.25_8089_bens-testbox.patientfirst.com_BENS-TESTBOX_FC09E8A3-4F3E-4CCC-BF5B-8C3D6884D2C4
I have the following in my inputs config on the universal forwarder client:
[default]
host = BENS-TESTBOX
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 1
[WinEventLog://System]
disabled = 0
I then have the following in my Splunk Enterprise inputs config file:
[default]
host = splunk1
[splunktcp://9997]
connection_host = none
disabled=0
When I try and do a search though my search head (currently my setup is a single indexer with a single separate search head) for host: #ipofclientpc, I don't get anything.
I have not setup a data input, which i think is my issue, but can't figure out the correct process to configure that to pull/receive from the forwarder.
If anyone can help, i would be most appreciative.
Download and install the Splunk add-on for Windows if you have not already done so.
https://splunkbase.splunk.com/app/742/#/details
It needs to be installed both where the Universal Forwarder is installed and on your Splunk Enterprise server. If you have a separate indexer and search head, then install on Search Head as well.
The compressed file you download needs to be uncompressed and placed in the following directory : $Splunk_Home/etc/apps
On the Universal Forwarder only, enabled data collection by setting the Disabled parameter in inputs.conf to 0. Restart your Universal Forwarder after editing inputs.conf using notepad.
Check the following index for data depending on what you’re collecting.
index=windows
index=wineventlog
index=perfmon
Download and install the Splunk add-on for Windows if you have not already done so.
https://splunkbase.splunk.com/app/742/#/details
It needs to be installed both where the Universal Forwarder is installed and on your Splunk Enterprise server. If you have a separate indexer and search head, then install on Search Head as well.
The compressed file you download needs to be uncompressed and placed in the following directory : $Splunk_Home/etc/apps
On the Universal Forwarder only, enabled data collection by setting the Disabled parameter in inputs.conf to 0. Restart your Universal Forwarder after editing inputs.conf using notepad.
Check the following index for data depending on what you’re collecting.
index=windows
index=wineventlog
index=perfmon
Ok, your suggest worked. Turns out I didn't uncompress the file far enough down to be useable by windows. Once I realized my goof, I got things straight and began to see the events coming over. Thanks again.
Thanks for that info. I downloaded and installed through the web gui the addon on both the search head and indexer. I then went to the windows box we are trying to collect from where I installed the universal forwarder and placed the extracted directory in the etc/apps folder. I confirmed my inputs.conf is set to 0 on the universal forwarder as well and restarted the service. Unfortunately I still don't see events on my search head.
Not sure what to try next?
What you said was correct. Error ended up being I didn't decompress the file enough to be useable by windows. Once I realized my error and corrected, it started working. Thanks again.
Thanks for that info. I downloaded and installed through the web gui the addon on both the search head and indexer. I then went to the windows box we are trying to collect from where I installed the universal forwarder and placed the extracted directory in the etc/apps folder. I confirmed my inputs.conf is set to 0 on the universal forwarder as well and restarted the service. Unfortunately I still don't see events on my search head.
Not sure what to try next?