Solved: After installing the Universal Forwarder using MSI...

tmontney · ‎10-10-2016

I installed the Universal Forwarder using the MSI, specified server info, but didn't check any boxes for wineventlog and such. I can see the PC checking in on the Splunk server, but it's not receiving any data. This is my ...\etc\system\local\inputs.conf

[default]
host = PBDC-LT-16

[WinEventLog:System]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Security]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Application]
interval=60
index=wineventlog
disabled=0

gneumann_splunk · ‎10-10-2016

Here's a similar situation on Answers that might help resolve your issue:
https://answers.splunk.com/answers/98072/not-receiving-data-from-windows-forwarder.html

In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."

View solution in original post

gneumann_splunk · ‎10-10-2016

Here's a similar situation on Answers that might help resolve your issue:
https://answers.splunk.com/answers/98072/not-receiving-data-from-windows-forwarder.html

In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."

tmontney · ‎10-10-2016

If I configure Splunk server to get the data, it works. I'm feeling it's just wrong config rather than ports or firewalls. I'll take a look though.

tmontney · ‎10-10-2016

My apology, it is working actually. I was basing it off the "Last Updated" section of the Search page. It was looking for the hostname rather than the hostname's FQDN (treating them as separate hosts).

gneumann_splunk · ‎10-10-2016

Great to know it's working!

skoelpin · ‎10-10-2016

Is your outputs.conf pointing to your indexer? Did you restart the Splunk web service after making these changes?

tmontney · ‎10-10-2016

Yep, outputs.conf is fine. The inputs.conf file I'm referencing here is on the forwarder, not the server. Why would I restart the server?

gneumann_splunk · ‎10-10-2016

Try checking your universal forwarder installation against these instructions:
http://docs.splunk.com/Documentation/SplunkLight/6.5.0/GettingStarted/GettingdataintoSplunkLightusin...

tmontney · ‎10-10-2016

Very nice, I didn't realize this was an option. However, it's a bit light. The config files have far more options to configure, and I can't determine how to do that.

gneumann_splunk · ‎10-10-2016

Try the Splunk Enterprise Getting Data In manual, which has more information:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/AboutWindowsdataandSplunk

gneumann_splunk · ‎10-10-2016

More specific instructions for event log monitoring and universal forwarder config info using Windows:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowseventlogdata

tmontney · ‎10-10-2016

Again, I have followed that. I have changed /etc/system/local/inputs.conf to the config shown above, on the local forwarder. I restarted the Splunk Forwarder service, and did not see any change.

After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...