Hi, I’m quite new to splunk when it comes to sending data to splunk. I do have experience with making dashboards etc. I’ve got a problem receiving data from a windows pc. I’ve installed the universal forwarder on there and I’ve got another windows pc that acts as my enterprise environment. I do know that the forwarder is active and can see a connection. I want to send wineventlog data to splunk. I’ve made a input.conf and output.conf containing information for what I want to forward. But when I want to look it up in the search I have 0 events. I’m sure I’m doing some things wrong haha. I would like some help with it. Thanks!
It looks like there's a typo in the hostname in the query. Try host=*. You can confirm a sourcetype was received using this search
index=_internal component=Metrics group=per_sourcetype_thruput series="WinEventLog:Security"
Just change the 'series' value to the sourcetype you're looking for.
Hi @belleke ,
install on the UF the Splunk_TA_Windows ( https://splunkbase.splunk.com/app/742 ), remembering that, by default all the inputs are disabled, so you have to create a new folder called "local" and copy the inputs.conf from the default folder and modifying disabled=1 to disabled=0 for all the inputs you need.
Then install, the above Add-On also on the Splunk Server.
Ciao.
Giuseppe
Are you able to see the UF's internal logs in Splunk? If not, then that problem must be resolved first.
Please share the WinEventLog inputs.conf stanza(s).
Please also tell how you are trying to search for the events.
The first sreenshot is about UF's internal logs in Splunk. The second screenshot is my search string looking for winevent. I also wrote down my inputs.conf. I do apologize that I have little knowledge about this all. If I need to send more info or the right one 😉 please let me know, thanks!
inputs.conf=
[WinEventLog://Security]
disabled = 0
index = main
sourcetype = WinEventLog:Security
evt_resolve_ad_obj = 1
checkpointInterval = 5
@richgalloway
It looks like there's a typo in the hostname in the query. Try host=*. You can confirm a sourcetype was received using this search
index=_internal component=Metrics group=per_sourcetype_thruput series="WinEventLog:Security"
Just change the 'series' value to the sourcetype you're looking for.
I've solved the issue, thanks for your help!
How did you solve it?
Hi @belleke ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Thanks for your reply, unfortunately I still have no luck. By the looks of it I'm not receiving any sourcetypes in splunk. I saw my typo mistake later but still wasn't able to receive any kind of data regarding wineventlogging.
Any other suggestions what could be the issue?