Getting Data In

Universal forwarder (Windows) does not send logs even though "active"

Sagar0511
Explorer

Hi Folks,

I am testing log forwarding using universal forwarder from Windows to Splunk but can't seem to receive any logs.
My test environment has Splunk Enterprise OVA (standalone) as server and Windows 2012 (with universal forwarder) as client.

Steps i followed (not necessarily in that order):

On Windows client (Universal forwarder):
* Installed Universal forwarder
* configured as deployment client
* Added firewall rule to allow destination port 9997
* checked using "splunk list forward-server" to confirm server is listed in "active" section

On Splunk OVA enterprise server
* Configured listening on port 9997 using web console
* Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs" (could see my desired deployment client in the list). Selected Application, security & system events
* Stopped iptables service (just to ensure its not blocking traffic)
* Followed this link to receive logs from forwarder

Testing:
* created user in windows (client) and checked local event logs. Local log can be seen in "Security" events
* Ran search in server (web console) to see this event. It says "no events found" for the specific index

0 Karma
1 Solution

FrankVl
Ultra Champion
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server
  • check splunkd.log on both splunk instances for errors (+ are the internal logs from the UF getting forwarded to the Enterprise instance?)
  • search for All Time, to rule out timestamping/sync issues
  • confirm universal forwarder runs under an account that has permissions to read the event logs

View solution in original post

0 Karma

Sagar0511
Explorer

I was able to fix the mentioned problem which was I was facing (for solving the forwarder not sending the logs though it is "active") from one of the reference link

Thanks.

0 Karma

FrankVl
Ultra Champion
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server
  • check splunkd.log on both splunk instances for errors (+ are the internal logs from the UF getting forwarded to the Enterprise instance?)
  • search for All Time, to rule out timestamping/sync issues
  • confirm universal forwarder runs under an account that has permissions to read the event logs

View solution in original post

0 Karma

Sagar0511
Explorer
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server -->It is showing the index name which has been created.

  • check splunkd.log on both splunk instances for errors
    In Splunk OVA(Linux System) --> WARN Tcpoutput - Forwarding the indexer group xxxxxx blocked for
    xxxx seconds

    In Windows System --> There is no error

  • Are the internal logs from the UF getting forwarded to the Enterprise instance? --> No

  • confirm universal forwarder runs under an account that has permissions to read the event logs --> checked and it is running as SYSTEM User.

0 Karma

FrankVl
Ultra Champion

Why is your indexer reporting warnings on tcpoutput to an indexer group? Or did this warning actually come from the windows box?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!