Getting Data In
Highlighted

Why are Windows event logs not being forwarded to the specified index with my current configuration?

I have a universal forwarder installed on my Windows server. I am trying to send Event Logs with certain Event Types to the Indexer server. In addition to that, I am sending files stored in my server location to the indexer server. All these data need to be sent to a particular index within the indexer server. However, when I search the indexer with the Index name, I am not able to get any results.

inputs.conf from my Forwarder:

[default]
host = WIN2K3CPT

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = SourceName="^RC_ProcessInstAppService_Failure$"
whitelist1 = SourceName="^RC_ProductTransferService_Failure$"
whitelist2 = SourceName="^RC_MarketOfferProcessor_Failure$"
whitelist3 = EventType="Warning"

[monitor://F:\inetpub\wwwroot\T3Report]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = CMC\.txt|RC\.txt

props.conf from the Indexer server:

[srcapplogrc]
TRANSFORMS-index=sendtoapplogrc

transforms.conf from the indexer server:

[sendtoapplogrc]
REGEX=.
DEST_KEY = _MetaData:Index
FORMAT = applogrc
0 Karma
Highlighted

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

Esteemed Legend

The terms index and indexer are different things. I see your configuration for sending to particular index values but if you are trying to send some stuff to certain indexers, we need to see your outputs.conf.

0 Karma
Highlighted

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

Thanks. Here it is:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = server1.mydomain.com:11070

[tcpout-server://server1.mydomain.com:11070]

Note: All these conf files are in system\local folder. And I did try restarting the Splunk Instance post changes.

0 Karma
Highlighted

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

SplunkTrust
SplunkTrust

Hi, there's no need for the props and transforms in this case because you're specifying the index in the inputs.conf stanza.

Have you made sure that port 11070 is open from your machine to the other machine? Firewalls can block this connection, such as windows firewall, network firewalls, linux firewalls (iptables, apparmor), etc.

Also to be sure, the inputs and outputs .conf files should be on the universal forwarder, not the splunk indexer. You mentioned inputs.conf was on the UF but nothing about the location of outputs.conf. So I'm just checking to be sure.

Finally, i removed your internal server names from your post for your own protection.

View solution in original post

0 Karma
Highlighted

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

Thanks Michael. The location of my outputs.conf is within the UF (etc/system/local) itself. Also, I did a telnet for the port 11070. Its open.
Is there anything specific that we need to configure within the Forwarder for it to actually start forwarding data? I am of the assumption that it starts sending the data automatically once the Output.conf is placed and Instance restarted.

0 Karma
Highlighted

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

SplunkTrust
SplunkTrust

That's all it takes so long as the account splunkd is running under has permissions to read the data you're looking for and then receiving is enabled on the indexers on that port.

0 Karma
Highlighted

Re: Why are Windows event logs not being forwarded to the specified index with my current configuration?

SplunkTrust
SplunkTrust

@ppablo_splunk hey man, is there anyway we can delete/edit the comments the op made that contained his server names from the question history?

0 Karma