Trying to view Windows Logs

aalborz · ‎10-05-2012

I'm trying to view Windows Logs. I installed the universal forwarder on the local Windows PC.
I configured only for local system, not remote. I added new receiver port 9997 on the server & restarted Splunk.
But when I go to Add data from Windows Logs, still asks me to install univ. forwarder and when I got to server, doesn't list the receiver I added. When I try to re-add it, it shows me this:

"Encountered the following error while trying to save: In handler 'cooked': Failed to create. Configuration for port 9997 already exists."

Splunk 4.3 Server is running on Linux.

sdaniels · ‎10-05-2012

You cannot configure the inputs on the Splunk server. YOu'll need to do that on the forwarder located on your windows PC. Here's what you need to do:

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Setupforwardingandreceiving

1) Enable the receiver on splunk server for port 9997 ( Done )
2) Edit outputs.conf on the forwarder to tell it to send to your reciever.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Configureforwarderswithoutputs.confd

3) Configure inputs.conf on the forwarder.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorwindowsdata#Use_inputs.conf_to_configure...

sdaniels · ‎10-05-2012

It's not too bad at all. Steps 2 and 3 are a couple of lines each in two configuration files. Once you get the hang of where the files are etc...it's smooth sailing. Then on a larger scales we have the deployment mananger so you can edit something once and push it out to many servers.

aalborz · ‎10-05-2012

Seems to be too much work to get Windows logs into Splunk!

Trying to view Windows Logs

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!