Re: Beginner issues

pck1983 · ‎09-05-2023

Hello, I try to learn splunk and thatfor I have setup a demo-version in my home-lab on the Linux system...

Actually I have splunk running and I added the local files. Then I activated port 9997 and installed a universal forwarder on my Windows 10 PC.

I can see on Linux with tcpdump that I get packages on port 9997 but I can't get the data into splunk! When I try to add data from a forwarder manually then I see the message that I have actually not forwarders configured...

What am I doing wrong?

bowesmana · ‎09-05-2023

Have you configured your forwarder firstly to collect data from the host and secondly where to send it?

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configuretheuniversalforwarder

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configureforwardingwithoutputs.conf#....

Have you created an index that the UF will send its data to?

pck1983 · ‎09-05-2023

I forgot to tell you what my inputs.conf contains:

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Setup]
disabled = 0

My outputs.conf:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.2:9997

[tcpout-server://192.168.1.2:9997]

pck1983 · ‎09-06-2023

I have it solved - no idea what it was but after I rebooted all of the machines it start to work...

Thanks!

BTW - when my 60 days of test period are done and I go back to the free license. Will the forwarders work or do I need a prof. license?

I am pretty sure my 3 workstations will not exceed the 500MB / day limit!

Beginner issues

Linux

universal forwarder

Windows

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting