Splunk ITSI

Not able to add windows host in insight for infrastructure.

nologin
Explorer

According to my setup insight for infrastructure is installed on a centos 7 machine and I'm trying to add windows 10 host. Below is the error code which i get at the time of adding windows host.

Exception calling "DownloadFile" with "2" argument(s): "Unable to connect to the remote server" At line:1 char:705 + ... n $files) { $web.DownloadFile("https://192.168.4.142:8000/en-US/stati ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException

Exception calling "DownloadFile" with "2" argument(s): "Unable to connect to the remote server" At line:1 char:705 + ... n $files) { $web.DownloadFile("https://192.168.4.142:8000/en-US/stati ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException

.\install_uf.ps1 : The term '.\install_uf.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:924 + ... erCertificateValidationCallback = $null; if ($?) { .\install_uf.ps1 } + ~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (.\install_uf.ps1:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

pwu_splunk
Splunk Employee
Splunk Employee

"So shall I change the IP address to 192.168.4.144 on the clipboard code and try once? "
Yes, try that.

"And I got the original error code after I added the IP of the host to be monitored."
The field is "Monitoring machine (Specify the hostname or IP address of the machine you want to send data to)". This is not supposed to be the IP address of the machine that is to be monitored but the machine that is doing the monitoring [1].

[1] In most cases, this is the machine that has SAI/SII installed. The exception is with SAI installed on a distributed Splunk deployment.

0 Karma

nologin
Explorer

I got this huge error after changing the IP address of the monitoring machine to 192.168.4.144 (Splunk Server):
[] Install Splunk Universal Forwarder on localhost
[
] indexer server: 192.168.4.144:9997
[*] checking for previous installations of splunk>...
[!] install directory already exists. continuing to congure ..
out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\outputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:78 char:1
+ echo "[tcpout]" > $outputsconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\outputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:79 char:1
+ echo "defaultGroup = default-autolb-group" >> $outputsconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\outputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:80 char:1
+ echo "" >> $outputsconf
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\outputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:81 char:1
+ echo "[tcpout:default-autolb-group]" >> $outputsconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:195 char:3
+ echo "`n" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:194 char:3
+ echo "_meta = $dims" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:195 char:3
+ echo "`n" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:215 char:5
+ echo "[monitor://$log_source]" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:216 char:5
+ echo "sourcetype = $log_sourcetype" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:218 char:5
+ echo "rn" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:210 char:5
+ echo "[WinEventLog://$log_source]" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:211 char:5
+ echo "$eventlog_options" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:212 char:5
+ echo "rn" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:210 char:5
+ echo "[WinEventLog://$log_source]" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:210 char:5
+ echo "[WinEventLog://$log_source]" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:211 char:5
+ echo "$eventlog_options" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

out-file : Could not find a part of the path 'C:\Program Files
(x86)\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf'.
At C:\Windows\system32\install_uf_script.ps1:212 char:5
+ echo "rn" >> $inputconf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

[*] Restarting splunk> universal fowarder
& : The term 'C:\Program Files (x86)\SplunkUniversalForwarder\bin\splunk.exe' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At C:\Windows\system32\install_uf_script.ps1:227 char:3
+ & "$splunkexe" restart
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Program File...\bin\splunk.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

[!] splunk process not running!
[!] check to make sure installation was successful.

What should I do further, please suggest...

0 Karma

pwu_splunk
Splunk Employee
Splunk Employee

I think running the script with the wrong parameters the first time may have screwed something up. I don't know what's going on, but I'd suggest uninstalling the SplunkUniversalForwarder from the target machine (and making sure that C:\Program Files (x86)\SplunkUniversalForwarder no longer exists) and retrying the installation snippet.

0 Karma

dauren_akilbeko
Communicator

Did you check firewall on both Splunk server and Windows 10 host? Can you react(ping) Splunk from Windows host?

0 Karma

nologin
Explorer

Thank you @dauren_akilbekov for your reply.

Below is the ping report from windows host to the splunk (Insight for Infrastructure) server, also I'm able to connect to the port 8000, 9997 and so on to the splunk server. I've no clue what to check on to, please suggest further.

ping 192.168.4.144

Pinging 192.168.4.144 with 32 bytes of data:

Reply from 192.168.4.144: bytes=32 time<1ms TTL=64

Reply from 192.168.4.144: bytes=32 time<1ms TTL=64

Reply from 192.168.4.144: bytes=32 time<1ms TTL=64

Reply from 192.168.4.144: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.4.144:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

0 Karma

pwu_splunk
Splunk Employee
Splunk Employee

Below is the ping report from windows host to the splunk (Insight for Infrastructure) server

How come that report has the IP address 192.168.4.144 while the script is trying to connect to a Splunk instance on 192.168.4.142?

0 Karma

nologin
Explorer

First of all let me share you my current setup:

  1. Splunk (Insight for Infrastructure) Server (OS: Centos-7, IP address: 192.168.4.144)
  2. Host to be monitored (OS: Windows-10, IP address: 192.168.4.142)

And I shared the above ping report as @dauren_akilbekov asked me for a ping check from Windows host to Splunk server. Actually both the machine are able to reach (ping) each other but the problem still persists, is there any thing that needs to be modified on the Windows host or to the server side?

0 Karma

pwu_splunk
Splunk Employee
Splunk Employee

No, there's no special setup. The confusing thing is that the original error code says it was run with the reverse setup (Splunk at 192.168.4.142).

0 Karma

nologin
Explorer

So shall I change the IP address to 192.168.4.144 on the clipboard code and try once?
And I got the original error code after I added the IP of the host to be monitored.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...