Getting Data In

Why am I unable to forward logs from a Linux machine to Windows using Splunk 6.3?

CREVITCH
Path Finder

I am new to Splunk and downloaded Splunk free to several machines, Linux and Windows. All machines are on the same subnet. I have been successful at forwarding logs from Windows to Linux, and from Windows to Windows, but I cannot seem to see the Linux logs on the Windows Splunk. I see the TCP handshake and the log text, but Splunk never shows the machine name or the logs in the data summary.

Using Splunk 6.3.0 on CentOS 6.6. The logging capability seems to work fine on the Linux machine when viewed locally. The Windows machines are both using Splunk 6.3.0 as well.

Many Thanks

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi CREVITCH,

run this search | tstats count WHERE index=* sourcetype=* by index, sourcetype, host to see if the host is listed, if so run a search over all time for the index listed in above search result:

index=<from above> earliest=0

check splunkd.logor index=_internal for errors related to this host/input maybe date errors and the timestamp is not recognised? Hint http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configuretimestamprecognition

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi CREVITCH,

run this search | tstats count WHERE index=* sourcetype=* by index, sourcetype, host to see if the host is listed, if so run a search over all time for the index listed in above search result:

index=<from above> earliest=0

check splunkd.logor index=_internal for errors related to this host/input maybe date errors and the timestamp is not recognised? Hint http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configuretimestamprecognition

Hope this helps ...

cheers, MuS

0 Karma

CREVITCH
Path Finder

thank you. I ran the search and the source(forwarding) host (linux box) did not appear. I still see my windows desktop (receiver) handshaking with the source on wireshark. Any other things I can try?

0 Karma

CREVITCH
Path Finder

I just added the index the linux server was creating (os) to the windows splunk and it is now showing up. Thanks!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...