Getting Data In

Universal forwarder (Windows) does not send logs even though "active"

Sagar0511
Explorer

Hi Folks,

I am testing log forwarding using universal forwarder from Windows to Splunk but can't seem to receive any logs.
My test environment has Splunk Enterprise OVA (standalone) as server and Windows 2012 (with universal forwarder) as client.

Steps i followed (not necessarily in that order):

On Windows client (Universal forwarder):
* Installed Universal forwarder
* configured as deployment client
* Added firewall rule to allow destination port 9997
* checked using "splunk list forward-server" to confirm server is listed in "active" section

On Splunk OVA enterprise server
* Configured listening on port 9997 using web console
* Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs" (could see my desired deployment client in the list). Selected Application, security & system events
* Stopped iptables service (just to ensure its not blocking traffic)
* Followed this link to receive logs from forwarder

Testing:
* created user in windows (client) and checked local event logs. Local log can be seen in "Security" events
* Ran search in server (web console) to see this event. It says "no events found" for the specific index

0 Karma
1 Solution

FrankVl
Ultra Champion
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server
  • check splunkd.log on both splunk instances for errors (+ are the internal logs from the UF getting forwarded to the Enterprise instance?)
  • search for All Time, to rule out timestamping/sync issues
  • confirm universal forwarder runs under an account that has permissions to read the event logs

View solution in original post

0 Karma

Sagar0511
Explorer

I was able to fix the mentioned problem which was I was facing (for solving the forwarder not sending the logs though it is "active") from one of the reference link

Thanks.

0 Karma

FrankVl
Ultra Champion
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server
  • check splunkd.log on both splunk instances for errors (+ are the internal logs from the UF getting forwarded to the Enterprise instance?)
  • search for All Time, to rule out timestamping/sync issues
  • confirm universal forwarder runs under an account that has permissions to read the event logs
0 Karma

Sagar0511
Explorer
  • check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server -->It is showing the index name which has been created.

  • check splunkd.log on both splunk instances for errors
    In Splunk OVA(Linux System) --> WARN Tcpoutput - Forwarding the indexer group xxxxxx blocked for
    xxxx seconds

    In Windows System --> There is no error

  • Are the internal logs from the UF getting forwarded to the Enterprise instance? --> No

  • confirm universal forwarder runs under an account that has permissions to read the event logs --> checked and it is running as SYSTEM User.

0 Karma

FrankVl
Ultra Champion

Why is your indexer reporting warnings on tcpoutput to an indexer group? Or did this warning actually come from the windows box?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...