Is the Splunk server in the same Domain/Workgroup as the server you are trying to get the data from?
I had to install a second Splunk server in our environment to collect from servers in another domain.
I believe that the Splunkd service will try and connect to the server using the credentials specified during the install.
... View more
I have it set the other way, I am only indexing certain events and sending everything else to the nul queue:
props.conf
[wmi]
TRANSFORMS-wmifilter = wmi-null, wmi-filter
[source::wineventlog:security]
TRANSFORMS-evtlog = log-null, log-filter
transforms.conf
[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmi-filter]
REGEX=EventCode=(560|529)
DEST_KEY = queue
FORMAT = indexQueue
Try swirching them round, should work
... View more
I was looking at impementing Splunk a couple of months ago and I thought about how I was going to get the Security log from over 200 servers. I to thought about installing forwarders on each of the servers but this would have been impossible to do in the time that I had.
I ended up using WMI to gather selected events from Security logs, I had to build three Splunk servers - 1 central server that would do all the indexing, 1 that would gather from non-domain servers and one that gathers from AD servers each of these forward to the central instance for indexing, We are also indexing all the syslog data on UDP:514.
... View more