Re: Beginner issues

pck1983 · ‎09-05-2023

Hello, I try to learn splunk and thatfor I have setup a demo-version in my home-lab on the Linux system...

Actually I have splunk running and I added the local files. Then I activated port 9997 and installed a universal forwarder on my Windows 10 PC.

I can see on Linux with tcpdump that I get packages on port 9997 but I can't get the data into splunk! When I try to add data from a forwarder manually then I see the message that I have actually not forwarders configured...

What am I doing wrong?

bowesmana · ‎09-05-2023

Have you configured your forwarder firstly to collect data from the host and secondly where to send it?

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configuretheuniversalforwarder

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configureforwardingwithoutputs.conf#....

Have you created an index that the UF will send its data to?

pck1983 · ‎09-05-2023

I forgot to tell you what my inputs.conf contains:

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Setup]
disabled = 0

My outputs.conf:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.2:9997

[tcpout-server://192.168.1.2:9997]

pck1983 · ‎09-06-2023

I have it solved - no idea what it was but after I rebooted all of the machines it start to work...

Thanks!

BTW - when my 60 days of test period are done and I go back to the free license. Will the forwarders work or do I need a prof. license?

I am pretty sure my 3 workstations will not exceed the 500MB / day limit!

Beginner issues

Linux

universal forwarder

Windows

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?