Hi @Ziadm,

as I said, all the times I had a problem like your I opened a Case to Splunk Support.

Remember to create a Diag and attach it to the Case because this will be the first thing they'll ask you and they connot analyze you problem without it.

Ciao.

Giuseppe

 i was able to solve the issue on my own apparently the firewall on the domain was blocking the connection to the deployment server/indexer
so i got this out of the way but now I'm facing another issue  after setting up everything I'm not receiving any events from the dc , i used the sysmon app because I only want to get the sysmon events for now  and I've enabled the inputs file as shown in the pic here

e 

 I checked with netstat and the connection has been established but i got a couple of weird errors in splunk that i don't know what they mean and I'm still unable to get the events from the DC

@gcusello  thank you for the help , here's the link for the other question https://community.splunk.com/t5/Installation/UF-isn-t-sending-data-to-indexer/m-p/615867#M11981

Hi @Ziadm,

let me understand: at the end, does the Universal Forwarder run on your DC?

What do you mean with ended prematurely?

the error in the initial configuration isn't a problem, doesn't give any problem to your installation.

Anyway, I hint to open a case to Splunk Support for your problem.

Ciao.

Giuseppe

i was trying to install it on the dc but the wizard fails and says something along the line that it ended prematurely , but now i'm running into a blue screen issue on my DC so i'll come back to that later