Getting Data In

Trouble setting up universal forwarder for Windows Log Collection

ghostdog920
Path Finder

I am trying to setup my splunk enterprise 6.6.1 to be able to injest windows logs from remote pc's but not having much luck. I know I am missing something, or not comprehending something, but can't figure it out.

So far, I have configured the receiver on my indexer as TCP port 9997. I have installed the windows universal forwarder v. 7.0.0 on the windows PC i want to collect the logs from. I have enabled to collect both the system and application logs. I am seeing the following in my splunkd log file on the client where the universal forwarder is installed:

09-29-2017 08:58:23.417 -0400 INFO TcpOutputProc - Connected to idx=10.0.103.210:9997, pset=0, reuse=0.
09-29-2017 08:58:59.026 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.1.211.25_8089_bens-testbox.patientfirst.com_BENS-TESTBOX_FC09E8A3-4F3E-4CCC-BF5B-8C3D6884D2C4
09-29-2017 08:59:59.040 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.1.211.25_8089_bens-testbox.patientfirst.com_BENS-TESTBOX_FC09E8A3-4F3E-4CCC-BF5B-8C3D6884D2C4

I have the following in my inputs config on the universal forwarder client:

[default]
host = BENS-TESTBOX

Windows platform specific input processor.

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 1

[WinEventLog://System]
disabled = 0

I then have the following in my Splunk Enterprise inputs config file:

[default]
host = splunk1
[splunktcp://9997]
connection_host = none
disabled=0

When I try and do a search though my search head (currently my setup is a single indexer with a single separate search head) for host: #ipofclientpc, I don't get anything.

I have not setup a data input, which i think is my issue, but can't figure out the correct process to configure that to pull/receive from the forwarder.

If anyone can help, i would be most appreciative.

0 Karma
1 Solution

wandre_splunk
Splunk Employee
Splunk Employee

Download and install the Splunk add-on for Windows if you have not already done so.
https://splunkbase.splunk.com/app/742/#/details

It needs to be installed both where the Universal Forwarder is installed and on your Splunk Enterprise server. If you have a separate indexer and search head, then install on Search Head as well.

The compressed file you download needs to be uncompressed and placed in the following directory : $Splunk_Home/etc/apps

On the Universal Forwarder only, enabled data collection by setting the Disabled parameter in inputs.conf to 0. Restart your Universal Forwarder after editing inputs.conf using notepad.

Check the following index for data depending on what you’re collecting.
index=windows
index=wineventlog
index=perfmon

View solution in original post

0 Karma

wandre_splunk
Splunk Employee
Splunk Employee

Download and install the Splunk add-on for Windows if you have not already done so.
https://splunkbase.splunk.com/app/742/#/details

It needs to be installed both where the Universal Forwarder is installed and on your Splunk Enterprise server. If you have a separate indexer and search head, then install on Search Head as well.

The compressed file you download needs to be uncompressed and placed in the following directory : $Splunk_Home/etc/apps

On the Universal Forwarder only, enabled data collection by setting the Disabled parameter in inputs.conf to 0. Restart your Universal Forwarder after editing inputs.conf using notepad.

Check the following index for data depending on what you’re collecting.
index=windows
index=wineventlog
index=perfmon

0 Karma

ghostdog920
Path Finder

Ok, your suggest worked. Turns out I didn't uncompress the file far enough down to be useable by windows. Once I realized my goof, I got things straight and began to see the events coming over. Thanks again.

0 Karma

ghostdog920
Path Finder

Thanks for that info. I downloaded and installed through the web gui the addon on both the search head and indexer. I then went to the windows box we are trying to collect from where I installed the universal forwarder and placed the extracted directory in the etc/apps folder. I confirmed my inputs.conf is set to 0 on the universal forwarder as well and restarted the service. Unfortunately I still don't see events on my search head.

Not sure what to try next?

0 Karma

ghostdog920
Path Finder

What you said was correct. Error ended up being I didn't decompress the file enough to be useable by windows. Once I realized my error and corrected, it started working. Thanks again.

0 Karma

ghostdog920
Path Finder

Thanks for that info. I downloaded and installed through the web gui the addon on both the search head and indexer. I then went to the windows box we are trying to collect from where I installed the universal forwarder and placed the extracted directory in the etc/apps folder. I confirmed my inputs.conf is set to 0 on the universal forwarder as well and restarted the service. Unfortunately I still don't see events on my search head.

Not sure what to try next?

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...