I am testing universal forwarding in our testing environment and also installed universal forwarder in one of windows server, but can't get the desire logs.
My test environment included Splunk Enterprise OVA as server and Windows server (with universal forwarder installed) which is client. I had used the "deployment server" command(set deploy-poll) and then restart.
On Splunk OVA enterprise server
Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs"-> New (could see my desired deployment client in the list). Selected Application, security & system events.
Also I am geeting Messages:
at first you have to enable Forwarders receiving [Settings -- Forward and Receiving -- Receiving]
Then you have to configure on your Forwarder the indexer to send logs:
you can do this directly on Forwarder (only for test) running a command on the Forwarder by CLI
cd \Program Files\splunkuniversalforwarder\bin splunk add forward-server <host name or ip address>:<listening port>
Or deploying a Technical Add-On (TA) that contains outputs.conf file using Deployment Server.
Then you have to say to the Forwarder which logs you want to send to indexer.
To do this you can download a TA from SplunkBase (Splunk_TA_Windows) and then deploy it using Deployment Server.
Or, for a test, you can copy it (after two untar) on Forwarder $SPLUNK_HOME\etc\apps folder
You can also follow the process described at http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Getstartedwithgettingdatain
Hi Sarag0511, I believe the issue is that, along with the input for the forwarder, you'll have to create an output that sends the events to the indexer.
The indexer will need to have a network input, and also the have the same index names specified in the input config on the forwarder.
This page has some commands that can be run on the forwarder to setup the config : http://docs.splunk.com/Documentation/Forwarder/7.1.0/Forwarder/Configuretheuniversalforwarder#Config...
Please let me know if this helps!