Getting Data In

Windows host and source types not shown in search

thejohn
Path Finder

I had to reinstall my universal forwarder on windows server and splunk stopped showing new messages. So deleted all messages of this host then I cleaned wineventlog index then reinstalled UF again because I thought that might force it. Now I don't see my server in hosts and all EventLog source types disappeared but when I search "index=wineventlog" I can see all new messages.

How can I re-add the server to hosts and how to old source types?

This is splunk light btw.

0 Karma
1 Solution

thejohn
Path Finder

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

View solution in original post

0 Karma

thejohn
Path Finder

Ok I got it I think.
I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line
srchIndexesDefault = main;os
to
srchIndexesDefault = wineventlog;main;os
for admin user.
After restart everything worked as it should.
I think there might be a bug in Windows Add-On not configuring correctly.

0 Karma

thejohn
Path Finder

Ok so I think I know what the problem is. By default splunk searches only main index I think. Windows Add-On uses wineventlog which is not searched. I set it up again so forwarder forwards to main index instead of wineventlog and success, the host and sourcetypes were shown. So now the question is how do I configure splunk light to also search wineventlog index. If you use splunk enterprise I think you just need to set up roles so that it is visible by your user. Don't know how to do this on light yet...

edit:
Also when I configured UF as deployment client I thought it will forward messages on its own, but it turns out you still need to add receiving server.

0 Karma

pierre31
New Member

I am having the same issue here too... all my linux host are showing. WinSrv 2012 showing but now win7.

0 Karma

thejohn
Path Finder

I restored splunk to snapshot just after install and repeated the installation of UF multiple times. First I specified only receiving server and again all logs went to wineventlog index but are not shown anywhere. Second I tried configuring UF as deployment client and server does not receive any messages. I am totally lost...

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...