Getting Data In

Why are Windows event logs not being forwarded to the specified index with my current configuration?

bravehearts9787
Explorer

I have a universal forwarder installed on my Windows server. I am trying to send Event Logs with certain Event Types to the Indexer server. In addition to that, I am sending files stored in my server location to the indexer server. All these data need to be sent to a particular index within the indexer server. However, when I search the indexer with the Index name, I am not able to get any results.

inputs.conf from my Forwarder:

[default]
host = WIN2K3CPT

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = SourceName="^RC_ProcessInstAppService_Failure$"
whitelist1 = SourceName="^RC_ProductTransferService_Failure$"
whitelist2 = SourceName="^RC_MarketOfferProcessor_Failure$"
whitelist3 = EventType="Warning"

[monitor://F:\inetpub\wwwroot\T3Report]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = CMC\.txt|RC\.txt

props.conf from the Indexer server:

[srcapplogrc]
TRANSFORMS-index=sendtoapplogrc

transforms.conf from the indexer server:

[sendtoapplogrc]
REGEX=.
DEST_KEY = _MetaData:Index
FORMAT = applogrc
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Hi, there's no need for the props and transforms in this case because you're specifying the index in the inputs.conf stanza.

Have you made sure that port 11070 is open from your machine to the other machine? Firewalls can block this connection, such as windows firewall, network firewalls, linux firewalls (iptables, apparmor), etc.

Also to be sure, the inputs and outputs .conf files should be on the universal forwarder, not the splunk indexer. You mentioned inputs.conf was on the UF but nothing about the location of outputs.conf. So I'm just checking to be sure.

Finally, i removed your internal server names from your post for your own protection.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Hi, there's no need for the props and transforms in this case because you're specifying the index in the inputs.conf stanza.

Have you made sure that port 11070 is open from your machine to the other machine? Firewalls can block this connection, such as windows firewall, network firewalls, linux firewalls (iptables, apparmor), etc.

Also to be sure, the inputs and outputs .conf files should be on the universal forwarder, not the splunk indexer. You mentioned inputs.conf was on the UF but nothing about the location of outputs.conf. So I'm just checking to be sure.

Finally, i removed your internal server names from your post for your own protection.

0 Karma

bravehearts9787
Explorer

Thanks Michael. The location of my outputs.conf is within the UF (etc/system/local) itself. Also, I did a telnet for the port 11070. Its open.
Is there anything specific that we need to configure within the Forwarder for it to actually start forwarding data? I am of the assumption that it starts sending the data automatically once the Output.conf is placed and Instance restarted.

0 Karma

jkat54
SplunkTrust
SplunkTrust

That's all it takes so long as the account splunkd is running under has permissions to read the data you're looking for and then receiving is enabled on the indexers on that port.

0 Karma

jkat54
SplunkTrust
SplunkTrust

@ppablo_splunk hey man, is there anyway we can delete/edit the comments the op made that contained his server names from the question history?

0 Karma

woodcock
Esteemed Legend

The terms index and indexer are different things. I see your configuration for sending to particular index values but if you are trying to send some stuff to certain indexers, we need to see your outputs.conf.

0 Karma

bravehearts9787
Explorer

Thanks. Here it is:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = server1.mydomain.com:11070

[tcpout-server://server1.mydomain.com:11070]

Note: All these conf files are in system\local folder. And I did try restarting the Splunk Instance post changes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...