Getting Data In

Universal Forwarder not sending monitor after installing Splunk App for Windows Infrastructure

tbrown
Path Finder

I installed the Splunk App for Windows Infrastructure using the following Splunk guide: https://docs.splunk.com/Documentation/MSApp/2.0.1/MSInfra/AbouttheSplunkAppforMSInfrastructure. I set up my the Splunk deployment server on my Splunk Enterprise Instance. For some reason, the Splunk Forwarder that I set up to be a client of this server is no longer sending the logs from the monitor that I defined in C:\Program FIles\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf. 

The Splunk Windows Add-on and the Splunk App for Windows Infrastructure is working correctly and is sending the Windows logs to the deployment server. 

I believe I need to change something in the setting of the deployment server/clients/server class to get my monitor to send the logs to the "main" index but I don't know what to change.

 

Labels (2)
0 Karma

anilchaithu
Builder

@tbrown 

This has nothing to do with the app.

Please check the below.

1) Can you please check whether the role that run splunkd has access to the data to be monitored.

2) Does the client is forwarding internal logs to the main splunk instance. index=_internal host="client"

3) Does the client communicating to the deployment server? settings -> forwarder management

4) if all the above checks out, please look for errors in the splunkd logs on the client .

 

 

0 Karma

tbrown
Path Finder

Some more information, when I do ./splunk list monitor on both the Splunk instance and the forwarder, the correct directories show up so they are recognized as inputs. I think the issue is therefore related to how I configured the "Universal Forwarders" server class or my clients in the deployment server.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...