Universal Forwarder Not sending my windows events ...

singhkrmanish76 · ‎12-22-2017

Well! i have configured my suplunk server to accept logs on 9997 from remote. And i have configure my universal forwarder to forward logs to my splunk server to 9997 port.
My output.conf file is as:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.0.71.250:9997

[tcpout-server://10.0.71.250:9997]

and my input.conf is as:

[default]
host = splunk1-PC

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog:Application]
disable = false

[WinEventLog:Security]
disable = false

[WinEventLog:System]
disable = false

By doing netstat -n to my splunk server and windows system [universal forwarder] is can see this vice versa

Local Address Foreign Address State
10.0.70.70:51137 10.0.71.250:9997 ESTABLISHED

apache logs are coming from the windows system[universal forwarder] but windows events are not. I am unable to find the exact problem. Kindly help!!

micahkemp · ‎12-26-2017

Your disabled configuration lines appear to have a typo. They should be disabled = 0 (or false), not disable.

You can verify your configuration by running splunk btool inputs list --debug and looking for the ones you attempted to enable to see if they still show disabled = 1 (or true).

ddrillic · ‎12-22-2017

A cheerful place to start at I can't find my data!

Universal Forwarder Not sending my windows events log

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Universal Forwarder Not sending my windows events log

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I