Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do new User-Setup Windows Event Logs from Universal Forwarder to Different Index?

ghostdog920
Path Finder
‎01-24-2018 11:27 AM

Sorry for this question as I know it is probably simple, but I can't figure it out. I have a single windows server running the splunk universal forwarder. I have tried to setup a data input (may not be necessary) to receive the information, TCP 5143, and then put it to a sourcetype of WinEventLog:Security and a new indexer, security_file_audit.

On my windows server where the universal forwarder is installed, I have setup the outputs.conf file to:

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://splunk1.patientfirst.com:5143]

[tcpout:default-autolb-group]
disabled = false
server = splunk1.patientfirst.com:5143

When I cycle the service I get errors
01-24-2018 14:11:04.109 -0500 WARN TcpOutputProc - Cooked connection to ip=10.0.103.210:5143 timed out

When I change from 5143 to 9997 though everything comes across though not to my new index, but rather to main.

Hopefully I am just doing something stupid. Can someone clarify where I am going wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎01-24-2018 01:15 PM

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎01-24-2018 01:15 PM

What you will want is a combination of outputs.conf and inputs.conf. The outputs.conf tells the forwarder what server to send the data to and the inputs.conf tells it what data to send and what properties to go with that data. You should have something that looks like this on your universal forwarder:

outputs.conf

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]
 disabled = false
 server = splunk1.patientfirst.com:9997

inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXML = false
index = <your index>

Unless changed in the configs the port for sending Splunk data from forwarder to indexer should be 9997. For forwarding Windows events this is a good resource to check and you may adjust the settings as desired (maybe you only want specific event codes from WinEventLog:Security?): https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf#Windows_Event_Log_Monitor.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...