I am testing universal forwarding in our testing environment and also installed universal forwarder in one of windows server, but can't get the desire logs.
My test environment included Splunk Enterprise OVA as server and Windows server (with universal forwarder installed) which is client. I had used the "deployment server" command(set deploy-poll) and then restart.
On Splunk OVA enterprise server
Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs"-> New (could see my desired deployment client in the list). Selected Application, security & system events.
I had check the Eventviewer logs; there logs are generating
Check the Tcp dump; there is also logs are coming from the windows server.
Also I am geeting Messages:
Skipped indexing of internal audits event will keep dropping events until indexer congestion is remedied.check disk space and other issues that may cause indexer to block.
Forwarding the indexer group default-autolb-group blocked for 10 seconds.
at first you have to enable Forwarders receiving [Settings -- Forward and Receiving -- Receiving]
Then you have to configure on your Forwarder the indexer to send logs:
you can do this directly on Forwarder (only for test) running a command on the Forwarder by CLI
cd \Program Files\splunkuniversalforwarder\bin
splunk add forward-server <host name or ip address>:<listening port>
Or deploying a Technical Add-On (TA) that contains outputs.conf file using Deployment Server.
Then you have to say to the Forwarder which logs you want to send to indexer.
To do this you can download a TA from SplunkBase (Splunk_TA_Windows) and then deploy it using Deployment Server.
Or, for a test, you can copy it (after two untar) on Forwarder $SPLUNK_HOME\etc\apps folder