Getting Data In

How to properly configure Universal Forwarder, located on the same machine as my Splunk instance?

aoliullah
Path Finder

Hi. I am trying to install an universal forwarder on the same machine as my Splunk instance just to see how Universal Forwarder (UF) works. I understand that you can collect the logs locally but just to understand how UF works I am trying to do it. I have followed the installation wizard and entered the receiver details as 127.0.0.1 and 9997 as the port. I left the deployment server details empty. I also configured receiver on the Indexer but I am still unable to see Windows event logs when searched. Could someone please help? I am new to Splunk.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Did you edit your inputs.conf to monitor the directory you want Splunk to ingest?

Under your Splunkforwarder home directory, go to etc/system/local and create an inputs.conf file and put the stanza below.. Make sure to substitute out the path to your file you want to monitor, give a sourcetype, and what index you want this data to go to. Also make sure you have the index defined before sending data there

[monitor//C:\PATH_TO_FILE]
 disabled=false
 sourcetype=YOUR_SOURCETYPE
 index=YOUR_INDEX

View solution in original post

0 Karma

ashishmaind2499
New Member

I am too facing same issue. I installed Splunk Universal Fwd and Splunk Enterprise on my C drive. I created a sample file and modified the inputs.conf as mentioned above and enabled the receiver by setting port to 9997. Do we have to modify/create outputs.conf file? I tried creating outputs.conf too..but no use. In outputs.conf I gave the server name as localhost. Am I missing something? Also, do we have to modify anything in distributed search? I assume my Splunk Enterprise is acting both as SH and Indexer.

0 Karma

lquinn
Contributor

Have you set up inputs on the forwarder, to tell it what to forward?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did you edit your inputs.conf to monitor the directory you want Splunk to ingest?

Under your Splunkforwarder home directory, go to etc/system/local and create an inputs.conf file and put the stanza below.. Make sure to substitute out the path to your file you want to monitor, give a sourcetype, and what index you want this data to go to. Also make sure you have the index defined before sending data there

[monitor//C:\PATH_TO_FILE]
 disabled=false
 sourcetype=YOUR_SOURCETYPE
 index=YOUR_INDEX
0 Karma

aoliullah
Path Finder

I had already chose windows event logs in the UF installation wizard. Wouldn't that configure it automatically? Do i need to do anything under data inputs?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes it should have, You can go to Settings>Data Inputs and see if there's anything for local event log collection, or you can go to splunkforwarder/etc/system/local and see if you have an inputs.conf with a stanza collecting your event logs.

You could also create a quick test by creating a temp folder on your C drive and creating a text file inside that folder. You should then add the stanza I provided above and point it to that text file you created. Restart the Splunk service after making changes and verify that Splunk ingests it

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorWindowseventlogdata

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...