Installation

Why did my Splunk Forwarder end prematurely?

Ziadm
Path Finder

so i was trying to install a forwarder on the DC and i ran into this issue 
 here is the link to the log file since i cant figure out how to attach it here 
https://drive.google.com/file/d/1j73adahjOwc52lE6Oxxi6lBzAFHpErK1/view?usp=sharing

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

let me understand: now you installed the UF on the DC but you have still problems, is this correct?

This is a new question, for the next time, please close the first question and the n opne a new one.

Anyway, some questions:

  • does you UF send logs to the indexer?, you can check on the indexer running a simple search like "index=_internal host=<DC_hostname>"
  • If yes, how are you taking DC logs, which add-on are you using?
  • if not, check the connection between UF and IDX using "telnet <ip_indexer> 9997"

Ciao.

Giuseppe

View solution in original post

Ziadm
Path Finder

for some weird reason now when i try to install it again it triggers the blue screen even after trying a fresh windows installation it's a VM if that matters at all

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

as I said, all the times I had a problem like your I opened a Case to Splunk Support.

Remember to create a Diag and attach it to the Case because this will be the first thing they'll ask you and they connot analyze you problem without it.

Ciao.

Giuseppe

0 Karma

Ziadm
Path Finder

 i was able to solve the issue on my own apparently the firewall on the domain was blocking the connection to the deployment server/indexer
so i got this out of the way but now I'm facing another issue  after setting up everything I'm not receiving any events from the dc , i used the sysmon app because I only want to get the sysmon events for now  and I've enabled the inputs file as shown in the pic here

Ziadm_0-1664839333619.png

 

0 Karma

Ziadm
Path Finder

Ziadm_0-1664845596250.png

 I checked with netstat and the connection has been established but i got a couple of weird errors in splunk that i don't know what they mean and I'm still unable to get the events from the DC

Ziadm_1-1664845709698.png

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

let me understand: now you installed the UF on the DC but you have still problems, is this correct?

This is a new question, for the next time, please close the first question and the n opne a new one.

Anyway, some questions:

  • does you UF send logs to the indexer?, you can check on the indexer running a simple search like "index=_internal host=<DC_hostname>"
  • If yes, how are you taking DC logs, which add-on are you using?
  • if not, check the connection between UF and IDX using "telnet <ip_indexer> 9997"

Ciao.

Giuseppe

Ziadm
Path Finder

@gcusello  thank you for the help , here's the link for the other question https://community.splunk.com/t5/Installation/UF-isn-t-sending-data-to-indexer/m-p/615867#M11981

0 Karma

Ziadm
Path Finder

and before anyone asks i setup dhcp reservation for both the dc and the machine hosting the splunk instance 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

let me understand: at the end, does the Universal Forwarder run on your DC?

What do you mean with ended prematurely?

the error in the initial configuration isn't a problem, doesn't give any problem to your installation.

Anyway, I hint to open a case to Splunk Support for your problem.

Ciao.

Giuseppe

0 Karma

Ziadm
Path Finder

i was trying to install it on the dc but the wizard fails and says something along the line that it ended prematurely , but now i'm running into a blue screen issue on my DC so i'll come back to that later

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...