Getting Data In

Why am I getting an error when sending logs from universal forwarder to heavy forwarder?

slee75
New Member

Hello, I have some windows systems that I'm trying to send logs from via a universal forwarder, to a heavy forwarder. However, I am getting an error on the heavy forwarder:

WARN  IndexerService - Received event for unconfigured/disabled/deleted index=testwineventlog with source="source::tcp:5513" host="host::*hostname*" sourcetype="sourcetype::tcp-raw".  So far received events from 1 missing index(es).

On the universal forwarder, I have the inputs.conf configured:

[WinEventLog://Application] disabled = 0 
interval = 60 
evt_resolve_ad_obj = 0 
evt_dc_name =  
evt_dns_name = 
index = testwineventlog

[WinEventLog://System] disabled = 0
interval = 60 
evt_resolve_ad_obj = 0
evt_dc_name =  
evt_dns_name =  
index = testwineventlog

[WinEventLog://Security] disabled = 0
interval = 60 
evt_resolve_ad_obj = 0
evt_dc_name =  
evt_dns_name = 
whitelist = 4624-4626,4634,4647-4649,4672-4674
index = testwineventlog

My outputs.conf file on the universal forwarder is:

[tcpout:hq] 
server = *heavy forwarder hostname*:5513

I don't have indexing enabled on the heavy forwarder (no entry for it, it should default to disabled right?)

[default] host=*hostname* 
[tcp:5514]
connection_host=dns 
sourcetype=syslog
persistentQueueSize=1GB
index=hq
[tcp:5513] 
connection_host=dns
persistentQueueSize=1GB
index=testwineventlog

Also, why am I seeing sourcetype raw? Doesn't the wineventlog input set that sourcetype on the universal forwarder? The heavy forwarder doesn't recognize it?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That error message appears when an event is received by an indexer for an index that is not defined or is disabled. By default, all Splunk instances other than Universal Forwarders have indexing enabled. That means your heavy forwarder is really an indexer. Create an outputs.conf file pointing to your indexer(s) to turn it into a HF.

Why are you using a heavy forwarder in this configuration? In general, using HFs as an intermediary is discouraged unless needed for a specific purpose (like getting through a firewall).

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...