Splunk Search

Windows Universal Forwarder - Not Forwarding?

pmacdonald
Explorer

I am tying to track down why my Windows Universal forwarder is not forwarding to the Splunk server/index. I can't seem to see anything for example in the past 24 hours and not sure why?

 

 

##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
##


###### OS Logs ######
[WinEventLog://Application]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

[WinEventLog://System]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
index = hostmonitoring
type = Computer

[WinHostMon://Process]
interval = 600
disabled = 0
index = hostmonitoring
type = Process

[WinHostMon://Processor]
interval = 600
disabled = 0
index = hostmonitoring
type = Processor

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
index = hostmonitoring
type = NetworkAdapter

[WinHostMon://Service]
interval = 600
disabled = 0
index = hostmonitoring
type = Service

[WinHostMon://Disk]
interval = 600
disabled = 0
index = hostmonitoring
type = Disk

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
index = perfmoncpu
instances = *

mode = multikv
object = Processor
useEnglishOnly=true

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
index = perfmonlogicaldisk
instances = *
interval = 60
mode = multikv
object = LogicalDisk
useEnglishOnly=true

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
index = perfmonphysicaldisk
instances = *
interval = 60
mode = multikv
object = PhysicalDisk
useEnglishOnly=true

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
index = perfmonmemory
interval = 60
mode = multikv
object = Memory
useEnglishOnly=true

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 0
index = perfmonnetwork
instances = *
interval = 60
mode = multikv
object = Network Interface
useEnglishOnly=true

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
index = perfmonprocess
instances = *
interval = 60
mode = multikv
object = Process
useEnglishOnly=true

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
index = perfmonprocessinfo
instances = *
interval = 60
mode = multikv
object = Processor Information
useEnglishOnly=true

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
index = perfmonsystem
instances = *
interval = 60
mode = multikv
object = System
useEnglishOnly=true

Labels (1)
0 Karma

gcusello
Esteemed Legend

Hi @pmacdonald,

you have to troubleshhot your connection.

At first, have you results running 

index=_internal host=<your_host>

or

index=* host=<your_host>

?

if yes the connection is ok and there's some input problem, if not, you have to check the connection between the forwarder and Indexers, e.g. using telnet.

Ciao.

Giuseppe

pmacdonald
Explorer

Hello,

Yes it was a DNS issue with the host in question....

0 Karma

gcusello
Esteemed Legend

Hi @pmacdonald,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...