Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal forward installed on windows server but can't get the logs for that server.

Sagar0511
Explorer
‎05-21-2018 06:15 AM

Hi Everyone,

I am testing universal forwarding in our testing environment and also installed universal forwarder in one of windows server, but can't get the desire logs.
My test environment included Splunk Enterprise OVA as server and Windows server (with universal forwarder installed) which is client. I had used the "deployment server" command(set deploy-poll) and then restart.

On Splunk OVA enterprise server

Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs"-> New (could see my desired deployment client in the list). Selected Application, security & system events.

Tested:

  1. I had check the Eventviewer logs; there logs are generating
  2. Check the Tcp dump; there is also logs are coming from the windows server.

Also I am geeting Messages:

  • Skipped indexing of internal audits event will keep dropping events until indexer congestion is remedied.check disk space and other issues that may cause indexer to block.
  • Forwarding the indexer group default-autolb-group blocked for 10 seconds.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-21-2018 10:34 AM

Hi Sagar0511,
at first you have to enable Forwarders receiving [Settings -- Forward and Receiving -- Receiving]

Then you have to configure on your Forwarder the indexer to send logs:
you can do this directly on Forwarder (only for test) running a command on the Forwarder by CLI

cd \Program Files\splunkuniversalforwarder\bin
splunk add forward-server <host name or ip address>:<listening port>

Or deploying a Technical Add-On (TA) that contains outputs.conf file using Deployment Server.

Then you have to say to the Forwarder which logs you want to send to indexer.
To do this you can download a TA from SplunkBase (Splunk_TA_Windows) and then deploy it using Deployment Server.
Or, for a test, you can copy it (after two untar) on Forwarder $SPLUNK_HOME\etc\apps folder

You can also follow the process described at http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Getstartedwithgettingdatain

Bye.
Giuseppe

0 Karma
Reply

ddrillic
Ultra Champion
‎05-21-2018 10:09 AM

This page can help - I can't find my data!

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎05-21-2018 06:48 AM

Hi Sarag0511, I believe the issue is that, along with the input for the forwarder, you'll have to create an output that sends the events to the indexer.

The indexer will need to have a network input, and also the have the same index names specified in the input config on the forwarder.

This page has some commands that can be run on the forwarder to setup the config : http://docs.splunk.com/Documentation/Forwarder/7.1.0/Forwarder/Configuretheuniversalforwarder#Config...

Please let me know if this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...