Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Universal forwarder (Windows) does not send logs even though "active"

Sagar0511
Explorer
‎05-07-2018 11:10 PM

Hi Folks,

I am testing log forwarding using universal forwarder from Windows to Splunk but can't seem to receive any logs.
My test environment has Splunk Enterprise OVA (standalone) as server and Windows 2012 (with universal forwarder) as client.

Steps i followed (not necessarily in that order):

On Windows client (Universal forwarder):
* Installed Universal forwarder
* configured as deployment client
* Added firewall rule to allow destination port 9997
* checked using "splunk list forward-server" to confirm server is listed in "active" section

On Splunk OVA enterprise server
* Configured listening on port 9997 using web console
* Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs" (could see my desired deployment client in the list). Selected Application, security & system events
* Stopped iptables service (just to ensure its not blocking traffic)
* Followed this link to receive logs from forwarder

Testing:
* created user in windows (client) and checked local event logs. Local log can be seen in "Security" events
* Ran search in server (web console) to see this event. It says "no events found" for the specific index

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎05-08-2018 12:47 AM
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server
  • check splunkd.log on both splunk instances for errors (+ are the internal logs from the UF getting forwarded to the Enterprise instance?)
  • search for All Time, to rule out timestamping/sync issues
  • confirm universal forwarder runs under an account that has permissions to read the event logs

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Sagar0511
Explorer
‎05-09-2018 11:35 PM

I was able to fix the mentioned problem which was I was facing (for solving the forwarder not sending the logs though it is "active") from one of the reference link

Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎05-08-2018 12:47 AM
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server
  • check splunkd.log on both splunk instances for errors (+ are the internal logs from the UF getting forwarded to the Enterprise instance?)
  • search for All Time, to rule out timestamping/sync issues
  • confirm universal forwarder runs under an account that has permissions to read the event logs
0 Karma
Reply
Solved! Jump to solution

Sagar0511
Explorer
‎05-08-2018 03:38 AM

  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server -->It is showing the index name which has been created.

  • check splunkd.log on both splunk instances for errors
    In Splunk OVA(Linux System) --> WARN Tcpoutput - Forwarding the indexer group xxxxxx blocked for
    xxxx seconds
    In Windows System --> There is no error

  • Are the internal logs from the UF getting forwarded to the Enterprise instance? --> No

  • confirm universal forwarder runs under an account that has permissions to read the event logs --> checked and it is running as SYSTEM User.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎05-08-2018 04:35 AM

Why is your indexer reporting warnings on tcpoutput to an indexer group? Or did this warning actually come from the windows box?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...