Solved: After installing a universal forwarder, why am I o...

abovebeyond · ‎03-05-2015

hey,

I'm trying to get windows event logs (security , application ..etc.. ) to my Splunk server.

I installed Splunk universal forwarder and enabled the receiver to get on port 9997 (there is no firewall)

I see on the Splunk Web GUI that events are getting into Splunk. I try to search by host="server01", but it only returns the "splunkd" sourcetype.

if i go to settings -> data type -> forwarded inputs -> new, I get:

"There are currently no forwarders configured as deployment clients to this instance."

(don't know if its connected to my problem)

Please, what did I miss?

MuS · ‎03-05-2015

does the index = wineventlog exist on your indexer?

View solution in original post

MuS · ‎03-05-2015

does the index = wineventlog exist on your indexer?

abovebeyond · ‎03-05-2015

do you mean on : settings - indexes ?

i just have the defaults

start with
_audit

end with
_summary

should i create a new one called
wineventlog ?

MuS · ‎03-05-2015

Yes, else those WinEventLogs have no index to be stored

MuS · ‎03-05-2015

btw, where is your main index? This should also be installed by default

abovebeyond · ‎03-05-2015

i have main

i got 9 defaults indexes

i create a new one called "WinEventLogs "

still i dont get these security + application logs

MuS · ‎03-05-2015

your inputs.conf has this setting index = wineventlog NOT index = wineventlog*s*

abovebeyond · ‎03-05-2015

THANKS

i think it worked 🙂

how do i disable the "splunkd" sourcetype ? its flood my server

MuS · ‎03-05-2015

you should not disable it, those are the Splunk internal messages. You will need them in case of any troubleshooting 😉

abovebeyond · ‎03-07-2015

Thanks MuS!

abovebeyond · ‎03-05-2015

i looked on another client Splunk server , it has no indexes called WinEventLogs .

i copy all the inputs.conf from the working server

update:
the "main" size is only 1 mb , maybe its connected ?

MuS · ‎03-05-2015

try searching like this for a start:

index=* earliest=0 latest=now

This will search all indexes over all time - if you don't see your events in this search, you should check if the receiving port is listening and the receiving index you configured in inputs.conf on the forwarder does exist on the indexer. See docs for some more hints http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Receiverconnection

The deployment client GUI is only used if your deploy configuration files towards your universal forwarders.

abovebeyond · ‎03-05-2015

i do get real time indexes

just from sourcetype = splunkd

"03-05-2015 12:05:32.215 +0000 INFO Metrics - group=tpool, name=batchreadertpool, qsize=0, workers=1, qwork_units=0

host: myserver source=C:\ProgramFiles\SplunkUniversalForwarder\var\log\splunk\metrics.log sourcetype = splunkd "

where are the application log , security log?

MuS · ‎03-05-2015

are the inputs enabled on the forwarder? please paste the inputs.conf from the forwarder with the settings for those event logs

abovebeyond · ‎03-05-2015

from : "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local"

inputs.conf

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://Security]
disabled = 0
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

should i create inputs.conf on
"C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local" ?

MuS · ‎03-05-2015

No, looks good. Did you restart the the forwarder? What is reported if you run the following command:

 "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd btool inputs list WinEventLog

abovebeyond · ‎03-05-2015

ill update my conf file to:

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0
blacklist = ccSvcHst.exe
whitelist = 4624,4634,4720,5156,5152

[WinEventLog://System]
disabled = 0

btool inputs list WinEventLog:

[WinEventLog]
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = Myserver
index = default
interval = 60
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = Myserver
index = wineventlog
interval = 60
renderXml = false
start_from = oldest
[WinEventLog://Security]
blacklist = ccSvcHst.exe
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 1
host = Myserver
index = wineventlog
interval = 60
renderXml = false
start_from = oldest
whitelist = 4624,4634,4720,5156,5152
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = Myserver
index = wineventlog
interval = 60
renderXml = false
start_from = oldest

After installing a universal forwarder, why am I only receiving splunkd logs, not Windows event logs?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM