Getting Data In

How do you get data into Splunk Enterprise with a universal forwarder?

bwouters
Path Finder

I installed a Splunk Enterprise 7.0 on a Unix machine and wish to get data from a Windows machine (any data would suffice for now since I'm new to Splunk, trying to grasp the concept of it all)

Some configs I did using the documentation available:
Splunk Enterprise server (unix system)
$ cat inputs.conf
[default]
host = SPLUNK

[splunktcp://9997]
disabled = 0

Splunk Universal Forwarder (Windows Server machine)
-> splunk add forward-server :9997
-> splunk set deploy-poll :9997
-> Added some config in 'inputs.conf'

Windows platform specific input processor.

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[monitor:///apache/*.log]
disabled = 0

-> splunk enable eventlog System
Specified input collection has been enabled

Now I want to add a Forwarder using the Splunk Web on my Enterprise system.
I log on to the website, select 'Add data' > 'Forward' > 'There are currently no forwarders configured as deployment clients to this instance.'
Not sure what I'm doing wrong. However, when I search for data, I do see some results there from the Windows machine!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

View solution in original post

gcusello
Legend

Hi bwouters,
To take windows logs, I suggest to use Splunk_TA_Windows that contains all the configurations to take windows logs.
This TA is available at https://splunkbase.splunk.com/app/742/ and contains all inputs and scripts to take windows logs, you have only to enable them in inputs.conf putting disabled=0 in the stanzas you like.

Bye.
Giuseppe

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

martin_mueller
SplunkTrust
SplunkTrust

The outputs.conf is fine, as you've said yourself - you see events from that machine indexed.

Deployment client config is stored in deploymentclient.conf (duh), the CLI command creates the file in etc/system/local.

0 Karma

bwouters
Path Finder

It's working now, after changing the port to 8089.
I guess the system needed a bit more time to process the change.

Thanks for informing me about the port!

0 Karma

bwouters
Path Finder

I executed the command again with different port (8089) but without success.
Is there a specific config file I can check to make sure it has changed?

I checked the output.conf file on etc/system/local
It contains the following

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = IP:9997

[tcpout-server://IP:9997]

-> Is this even the correct place to look?

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...