Getting Data In
Highlighted

Why am I getting an error when sending logs from universal forwarder to heavy forwarder?

New Member

Hello, I have some windows systems that I'm trying to send logs from via a universal forwarder, to a heavy forwarder. However, I am getting an error on the heavy forwarder:

WARN  IndexerService - Received event for unconfigured/disabled/deleted index=testwineventlog with source="source::tcp:5513" host="host::*hostname*" sourcetype="sourcetype::tcp-raw".  So far received events from 1 missing index(es).

On the universal forwarder, I have the inputs.conf configured:

[WinEventLog://Application] disabled = 0 
interval = 60 
evt_resolve_ad_obj = 0 
evt_dc_name =  
evt_dns_name = 
index = testwineventlog

[WinEventLog://System] disabled = 0
interval = 60 
evt_resolve_ad_obj = 0
evt_dc_name =  
evt_dns_name =  
index = testwineventlog

[WinEventLog://Security] disabled = 0
interval = 60 
evt_resolve_ad_obj = 0
evt_dc_name =  
evt_dns_name = 
whitelist = 4624-4626,4634,4647-4649,4672-4674
index = testwineventlog

My outputs.conf file on the universal forwarder is:

[tcpout:hq] 
server = *heavy forwarder hostname*:5513

I don't have indexing enabled on the heavy forwarder (no entry for it, it should default to disabled right?)

[default] host=*hostname* 
[tcp:5514]
connection_host=dns 
sourcetype=syslog
persistentQueueSize=1GB
index=hq
[tcp:5513] 
connection_host=dns
persistentQueueSize=1GB
index=testwineventlog

Also, why am I seeing sourcetype raw? Doesn't the wineventlog input set that sourcetype on the universal forwarder? The heavy forwarder doesn't recognize it?

0 Karma
Highlighted

Re: Why am I getting an error when sending logs from universal forwarder to heavy forwarder?

SplunkTrust
SplunkTrust

That error message appears when an event is received by an indexer for an index that is not defined or is disabled. By default, all Splunk instances other than Universal Forwarders have indexing enabled. That means your heavy forwarder is really an indexer. Create an outputs.conf file pointing to your indexer(s) to turn it into a HF.

Why are you using a heavy forwarder in this configuration? In general, using HFs as an intermediary is discouraged unless needed for a specific purpose (like getting through a firewall).

---
If this reply helps you, an upvote would be appreciated.