After enabling the firewall telnet is working and forwarder is able to connect to the indexer. but seeing the error below in forwarder log
01-04-2016 22:06:25.163 -0600 INFO TcpOutputProc - Connected to idx=10.0.0.35:9997
01-04-2016 22:06:29.607 -0600 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_access.log'.
01-04-2016 22:06:29.616 -0600 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_ui_access.log'.
01-04-2016 22:06:32.921 -0600 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::bind: Failed to get domain controller name with DsGetDcName: (1355)
01-04-2016 22:06:32.921 -0600 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::connectToDC: DsBind failed: (1355)
01-04-2016 22:06:32.921 -0600 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=25 msec
01-04-2016 22:15:02.025 -0600 INFO TcpOutputProc - Connection to 10.0.0.35:9997 closed. Connection closed by server.
01-04-2016 22:15:22.397 -0600 WARN TcpOutputProc - Cooked connection to ip=10.0.0.35:9997 timed out
01-04-2016 22:15:43.884 -0600 WARN TcpOutputProc - Cooked connection to ip=10.0.0.35:9997 timed out
01-04-2016 22:15:53.944 -0600 INFO TcpOutputProc - Connected to idx=10.0.0.35:9997
01-04-2016 22:30:33.323 -0600 INFO TcpOutputProc - Connection to 10.0.0.35:9997 closed. Connection closed by server.
01-04-2016 22:30:53.389 -0600 WARN TcpOutputProc - Cooked connection to ip=10.0.0.35:9997 timed out
01-04-2016 22:31:03.128 -0600 INFO TcpOutputProc - Connected to idx=10.0.0.35:9997
seeing the below message in receiver splunk web
Received event for unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:System" host="host::xxxx" sourcetype="sourcetype::WinEventLog:System". So far received events from 1 missingindex(es).
i am trying to forward the windows event log from forwarder and below is the inputs.conf file from forwarder
[default]
host = xxxx
[WinEventLog://Application]
disabled = 0
index = xxxx
sourcetype = security
what could be the issue. i have created a new index as well in the receiver with that index name
... View more