Universal Forwarder Not sending my windows events ...

singhkrmanish76 · ‎12-22-2017

Well! i have configured my suplunk server to accept logs on 9997 from remote. And i have configure my universal forwarder to forward logs to my splunk server to 9997 port.
My output.conf file is as:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.0.71.250:9997

[tcpout-server://10.0.71.250:9997]

and my input.conf is as:

[default]
host = splunk1-PC

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog:Application]
disable = false

[WinEventLog:Security]
disable = false

[WinEventLog:System]
disable = false

By doing netstat -n to my splunk server and windows system [universal forwarder] is can see this vice versa

Local Address Foreign Address State
10.0.70.70:51137 10.0.71.250:9997 ESTABLISHED

apache logs are coming from the windows system[universal forwarder] but windows events are not. I am unable to find the exact problem. Kindly help!!

micahkemp · ‎12-26-2017

Your disabled configuration lines appear to have a typo. They should be disabled = 0 (or false), not disable.

You can verify your configuration by running splunk btool inputs list --debug and looking for the ones you attempted to enable to see if they still show disabled = 1 (or true).

ddrillic · ‎12-22-2017

A cheerful place to start at I can't find my data!

Universal Forwarder Not sending my windows events log

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation