Getting Data In

Universal forwarder windows to syslog doesn't work

Path Finder

I am trying to get the Universal Forwarder to forward event logs (System and Security) from Windows to syslog on Linux. Nothing happens. The Linux box does not receive any packets addressed to port 514.

The computers are directly connected, the firewall on the windows machine is off and the netfilter firewall on the linux machine just accepts everything.

The machines can ping each other, and the windows machine can access the linux machine using HTTP.

To create log entries I clear the log file, and windows creates one log record to say that this happens. (I have also tried logging off and on again, and also opening a command window. No better.)

The file . . \etc\system\local\outputs.conf says:

disabled = false
server=    # the IP of the Linux machine

The file ...\etc\system\local\inputs.conf says: (the dashes are actually underlines)

host=testserver   # the windows machine
[WinEventLog:Security]    # . . and ditto for [WinEventLog:System]
disabled    = 0
start-from  = oldest    # I have tried newest
current-only=0          # I have tried 1 
evt-dc-name = 
evt-dns-name = 
evt-resolve-ad-obj = 0 
checkpointinterval = 5 

Any suggestions while I still have some hair?

Ultra Champion

Just to add to chrisrex's port 514 is in the privileged port range, your Splunk Indexer on Linux would have to be run with "root" permissions for UDP port 514 to open.

Also, you could try running a network sniffer such as "wireshark" on the windows machine to ensure that syslog packets are actually being sent out over the network interface.

0 Karma

Path Finder

Thanks Damien. See above. Also, I can get the Universal Forwarder to send events to the Indexer, but not to syslog.

And thanks for "wireshark". That is the answer to my next question, which has not been asked yet!

0 Karma


Can you verify syslog is open on your linux box with netstat -an|grep 514? You should see something like this: udp 0 0*

0 Karma

Path Finder

Thanks Chris. Yes, I am running syslogd as root, and I get exactly what you suggest. In addition, tcpdump shows nothing arriving mentioning port 514. I would expect to see it even if the port was closed. It looks like nothing relevant leaves the Windows machine. (But I do see packets addressed to port 9997.)

0 Karma