Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not seeing any Windows security event logs after installing a universal forwarder on a remote Windows server?

GLCFSCS
Explorer
‎11-12-2014 06:24 PM

I have a new standalone Splunk install that I want to test. It's installed on Windows.

I want to monitor the Windows Security event log of a remote Windows Server. I have installed the UF on this server.

There is a connection between the remote Windows server and the Splunk server, so that eliminates firewall and networking problems.

I am not seeing the Windows Security events on the Splunk server however.

What am I missing?

Reply
1 Solution
Solved! Jump to solution
Solution

s72ucor
Explorer
‎11-12-2014 07:33 PM

Did you create that index on your Splunk server?

That error means that it tried to write to an index that isn't there.

Create the index and the events should go away.

View solution in original post

Reply
Solved! Jump to solution

Michael
Contributor
‎08-16-2016 09:22 AM

I have a similar problem. I installed the UF, but the inputs.conf did NOT including the system, apps, or security events even though I selected them during install. I manually added, restarted. Confirmed forward destination is correct (outputs.conf).

Something you can test is make sure the networking (firewalls) are all OK with "netstat -an" to confirm they are communicating. This is almost always the problem (but not in this time...).

In my case, they are communicating, but no events are being forwarded even though they are being generated (confirmed with local Event Viewer).

0 Karma
Reply
Solved! Jump to solution

Michael
Contributor
‎09-08-2016 09:30 AM

In my case, I followed the answer below and created the said index (wineventlog) and it worked.

Discovered this is default with the UF on Windows systems that it sends to this directory, not "main". I'm sure it says as much during the installation, but I must have missed it -- if not, it should be...

Apologies; not much to offer (yet) on the Linux issue (SELinux?). Although, this has always been a firewall issue for me on 'nix in the past...

0 Karma
Reply
Solved! Jump to solution

chrisdavies76
New Member
‎09-08-2016 08:25 AM

Hi, I am also having same problem as Michael. Splunk installed on Linux host taking in syslog no problem. Two UF installed on two Windows2012R2 hosts, not sending windows event logs despite selecting them during UF install. Any ideas? Thanks,Hi, having exact same problem as Michael. I am new to Splunk and am reading as much as I can but would appreciate a point in the right direction to sort this out. I have Splunk Enterprise installed on a Linux host and working correctly taking in syslog. I have two universal forwarders installed on Windows 2012R2 hosts, one has IIS on and is sending the logs to the indexer correctly. Just no Windows Event Logs 😞

  • Chris
0 Karma
Reply
Solved! Jump to solution

scc00
Contributor
‎01-20-2016 11:30 AM

Make sure your Indexers also have the Splunk App for Windows Infrastructure app and windows add-on installed. If the Indexers don't have the apps and related add-on you won't see any event data.

0 Karma
Reply
Solved! Jump to solution

s72ucor
Explorer
‎11-12-2014 07:34 PM

s/events/errors/

0 Karma
Reply
Solved! Jump to solution
Solution

s72ucor
Explorer
‎11-12-2014 07:33 PM

Did you create that index on your Splunk server?

That error means that it tried to write to an index that isn't there.

Create the index and the events should go away.

Reply
Solved! Jump to solution

GLCFSCS
Explorer
‎11-12-2014 07:39 PM

OK, I created the index "wineventlog" and it's working.

0 Karma
Reply
Solved! Jump to solution

Michael
Contributor
‎09-08-2016 09:31 AM

Ya, that message needs to be more prominent during the UF install -- that this needs to be done. This is going to burn a lot of people...

0 Karma
Reply
Solved! Jump to solution

s72ucor
Explorer
‎11-12-2014 07:30 PM

On the UF make sure the Windows app has security event logs enabled in inputs.conf. Check to ensure output.conf is configured to send logs to your Splunk server.

On the Splunk server make sure your inputs.conf is configured to listen on 9997 (or your configured port). Make sure indexes.conf is configured with an index for security events. You'll need to create an index called msad unless you've selected another index on the UF.

Check splunkd.log for errors. Use netstat to see if the UF is sending/established on TCP 9997 and if the Splunk server is listening on tcp 9997. Even though you said they had a direct connection, make sure the windows firewall isn't blocking outbound ports from the UF and that the Splunk server is not being blocked inbound.

Between the conf files, netstat, firewalls, and log files you should see something. Also, try an obligatory UF service restart.

Let us know if any of these steps help.

Reply
Solved! Jump to solution

GLCFSCS
Explorer
‎11-12-2014 07:23 PM

Addinitial info ... I get this error in Splunk:

received event for unconfigured/disabled/deleted index='wineventlog' with source='source::WinEventLog:Security' host='host::SERVER01' sourcetype='sourcetype::WinEventLog:Security' (1 missing total)

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...