Installation

Why isn't my UF sending data to indexer?

Ziadm
Path Finder

I just set up the UF on my DC (it's a lab environment) and I can confirm that both are connected on the specified ports using netstat but I'm not getting any logs from my DC.
I'm also using Splunk add-on for windows and enabled logs for sysmon and AD only.

This is my inputs  file for the add on.

Ziadm_1-1664900964212.png


And I keep getting  these errors in my Splunk instance 
here's also the log file for splunkd

Ziadm_0-1664900781505.png

 

Labels (3)
0 Karma
1 Solution

Ziadm
Path Finder

I cant believe it , the solution in this thread  worked for me https://community.splunk.com/t5/Monitoring-Splunk/Tcpout-Processor-The-TCP-output-processor-has-paus...

i don't even know how this outputs file got there but alright 

View solution in original post

0 Karma

Ziadm
Path Finder

another pic from the gui

Ziadm_0-1664904422177.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

as I asked in the previous question, I have some quistions trying to debug your issue:

  • does you UF send logs to the indexer?, you can check on the indexer running a simple search like "index=_internal host=<DC_hostname>"
  • If yes, how are you taking DC logs, which add-on are you using?
  • if not, check the connection between UF and IDX using "telnet <ip_indexer> 9997"

Ciao.

Giuseppe

0 Karma

Ziadm
Path Finder

So as i said already I'm not getting any logs from the DC and I'm using the Splunk add on for windows to get the logs  and yes i was able to telnet into using the 9997 port without an issue even though i didn't really need to because i had confirmed before with netstat that there was an established connection on this port between my dc and the Splunk instance and as per the this screen shot i believe it confirms that there's a connection between the two machines in fact  the deployment server is working fine  so i don't really know where the issue is to be honest , i had disabled the firewall on both machines but that didn't help at all

Ziadm_0-1664963009835.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

I'm not speaking of DC logs, I'm speaking of Splunk Universal Forwarder logs (index=_internal host=<DC-hostname>).

this is relevant to understand if the problem is in the connection or in the configuration.

Ciao.

Giuseppe

Ziadm
Path Finder

Ok my bad so i ran the search and no the UF isn't sending anything,
i also ran all the searches here and they all returned 0 events 
https://docs.splunk.com/Documentation/Splunk/7.2.4/Troubleshooting/Cantfinddata?_gl=1*ip55yp*_ga*NjE...2130356.1417374891.1664733351-617023476.1664733351
the last one though that i ran in the cli returned an ssl error that i think is irrelevant to my issue

0 Karma

Ziadm
Path Finder

you are more than welcome to remote into my lab and check things out yourself if you want to

0 Karma

Ziadm
Path Finder

I cant believe it , the solution in this thread  worked for me https://community.splunk.com/t5/Monitoring-Splunk/Tcpout-Processor-The-TCP-output-processor-has-paus...

i don't even know how this outputs file got there but alright 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...