Knowledge Management

uberAgent to collect desktop activity

New Member

Hi,
I have installed splunk server for windows in my machine successfully, i wanted to run uberAgent to capture desktop activities, I downloaded the uberAgent technology Add on and the UI app, successfully installed the uberAgent under Apps in my splunkweb, also installed the splunkforwarder and copied the uberAgentTA and see ranberAgent.exe in my taskmanager, the agent has started collecting the data into C:\Windows\Temp\uberAgent.log;
Now, when i goto uberagent in the splunkweb, i donot see any log activities; how do i make the uberAgent.log data to be displayed in uberAgent app in the splunk web?

Note: i have installed splunk/splunkforwarder/uberagent all in the same desktop machine, and in the splunkforwarder installation setup i gave the same machine ip to send the data..

am i missing something? please help me get this sorted out, since i need to do a little demo on how splunk collects/displays the desktop related data through uberAgent

Tags (1)
0 Karma

New Member

hi helge, Thanks for making things clear, I just want to revalidate my thoughts and have few questions:

I understand Splunkforwarder collects the data and send to splunk server on another machine, that means both the machines have to necessarily be in the same domain? Am I correct?

Tell if my understanding is right, I did following instructions-

Machine in which splunk server is running :
Goto Manager -> Forwarding and receiving -> Receive data -> Add new -> 9997 -> Save.

Machine in which splunk forwarder/uberAgent is running:
On installation of splunk forwarder - give the ip of the machine in which splunk server is running; should i give port as "9997" ? to send data at that port?


Incase I have to reconfigure the ip/port on my splunk forawrder how do i do that? is the only option left out is uninstall and reinstall splunk forwarder? (i donot see any splunkforwarder web page like splunk server), if not what are the cmd line instructions to change the ip to which the splunk forwarder has to send data?

0 Karma

New Member

the re-edit hangs after "save edit", could u answer me about the same domain set up? should the splunk server machine and splunkforwarder all be under the same domain to send data ? should i configure splunk server machine ip and 9997 port on installation?

0 Karma

New Member

Thanks, I just didnt figure out how to re-edit :), Thanks am trying now to reedit..

0 Karma

Builder

@sowmy: You should update your original question instead of adding more questions as an answer. You can find information about reconfiguring the Universal Forwarder here: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Deploymentoverview#General_configuration_is.... I would recommend uninstalling and reinstalling the forwarder, however.

0 Karma

Builder

Are you commenting on my answer? If so please do so below my answer.

0 Karma

Builder

To avoid confusion: uberAgent writes the data it collects directly to Splunk's Universal Forwarder. The file uberAgent.log is only for status messages, i.e. troubleshooting uberAgent.

Did you follow the steps in the documentation? Please review closely:

Install and Configure Splunk

Install and Deploy uberAgent

The missing piece might be that the receiver is not enabled. From the documentation linked to above: "Set up receiving data from forwarders, e.g. through Manager -> Forwarding and receiving -> Receive data -> Add new -> 9997 -> Save."

Just to be on the safe side you should check if any data arrives from uberAgent by running the following in the Splunk search app:

index=uberAgent

If all this does not help: are there any errors in uberAgent.log?

0 Karma

New Member

@helge: I tried that too, can you please reply to my quesitons below?

0 Karma

Builder

@sowmy: I have never tested a setup with everything on one machine. Could you try installing the Universal Forwarder and uberAgent TA on a different system?

0 Karma

New Member

i did all that, i dont see any data on search, also no errors in log, the TA is absolutely fine, just that the data does not flow to the UI app

0 Karma

New Member

Hi, I just did the steps, but i still see no data when i goto SplunkWeb->Apps->uberAgent, i want my log data to be displayed here, right now the page says 0 sessions, 0 views and all the tables are empty,
the steps listed by you, actually connects the data collected to splunk server as new source type, I want the uberAgent.log to be read by its UI counterpart (uberAgent under Splunkweb/apps)

0 Karma

SplunkTrust
SplunkTrust

You don't need to use the forwarder in this case. In your Splunkweb UI, goto Manager > Data Inputs > Files and Directories > New. Then browse for your uberAgent.log file and set it up as an input. This should get you the data you need into Splunk.

0 Karma

New Member

yes u are right i want to see it in the uberAgent splunk app..

0 Karma

Builder

This is correct if the OP wants to process uberAgent's log file, but I suspect he wants to see the data uberAgent TA collects in uberAgent's Splunk app.

0 Karma