I am testing log forwarding using universal forwarder from Windows to Splunk but can't seem to receive any logs.
My test environment has Splunk Enterprise OVA (standalone) as server and Windows 2012 (with universal forwarder) as client.
Steps i followed (not necessarily in that order):
On Windows client (Universal forwarder):
* Installed Universal forwarder
* configured as deployment client
* Added firewall rule to allow destination port 9997
* checked using "splunk list forward-server" to confirm server is listed in "active" section
On Splunk OVA enterprise server
* Configured listening on port 9997 using web console
* Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs" (could see my desired deployment client in the list). Selected Application, security & system events
* Stopped iptables service (just to ensure its not blocking traffic)
* Followed this link to receive logs from forwarder
* created user in windows (client) and checked local event logs. Local log can be seen in "Security" events
* Ran search in server (web console) to see this event. It says "no events found" for the specific index
check etc/apps/ on the UF to confirm the inputs configuration was indeed correctly pushed from your deployment server -->It is showing the index name which has been created.
check splunkd.log on both splunk instances for errors
In Splunk OVA(Linux System) --> WARN Tcpoutput - Forwarding the indexer group xxxxxx blocked for
In Windows System --> There is no error
Are the internal logs from the UF getting forwarded to the Enterprise instance? --> No
confirm universal forwarder runs under an account that has permissions to read the event logs --> checked and it is running as SYSTEM User.