Solved: Universal forwarder is not sending logs.

zachantinelling · ‎04-21-2020

I am unable to get forwarders to show up in the console after installing server/forwarder. Getting "no clients or apps are currently available on this deployment server".

I installed Splunk version 8.0.3 on RHEL 7.7 Server, and configured the indexer to listen on 9997 and app server on 8088. Opened these ports on Linux server:

8000 - Web
8088 - App Server (The others show open but this port still shows closed when tested with a port scan, I noticed it is listening on 127.0.0.1:8088 where the others are 0:0:0:0:port)
8089 - Management Port
8191 - KV Store
9997 - Indexer

Installed Universal Forwarder on Windows 10 - 1909 x64 client using this command:

msiexec "-i \\pathtomsi.msi -qn -l C:\logpath.log AGREETOLICENSE=YES SPLUNKUSERNAME=USER SPLUNKPASSWORD=PASS RECEIVING_INDEXER=server.domain.net:9997 WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_SET_ENABLE=0 WINEVENTLOG_FWD_ENABLE=0"

Any idea what is going wrong here or what I can do to troubleshoot the issue?

zachantinelling · ‎04-21-2020

Figured it out. I mistakenly left off the deployment server in the installation

View solution in original post

sensitive-thug · ‎04-22-2020

Hi @zachantinellingc . Did the answer below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues.

zachantinelling · ‎04-21-2020

Figured it out. I mistakenly left off the deployment server in the installation

PavelP · ‎04-21-2020

Hello @zachantinellingc , you will get points if you mark your own post as solution

Universal forwarder is not sending logs.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases