- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Windows event logs, Linux server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running my trial Splunk indexer on a linux host and already collecting data from switches, VMware hosts, firewalls, SAN and a few other interesting systems.
I have configured "Receiving" on the server to listen on port 9997.
This morning I installed the Universal Forwarder on a Windows 2008 R2 server and selected all the Event Logs for forwarding. TCP ports 8089 and 9997 are open on the server side and I can see TCP traffic using tcpdump. The Windows host appears under "Forwarder Management", Phone Home says "a few seconds ago" so I have every reason to believe the communication is working properly.
However, searching for the IP address or hostname of the Windows shows no matches, neither does any search for strings that appear in the event log as seen using Windows' own event log viewer.
I also chose to forward the contents of a single directory where the backup agent produces its log files. Searching for strings that appear in those log files also comes up empty.
What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the splunkd log on the windows system for errors. It is probably best to restart splunk on the windows system, so you can see the inputs initialize in the log.
Also, if you run the restart from the cmd window then you see if there are errors in start up, but the cmd window must be "run as administrator" on w2k8.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for pointing me in the right direction 🙂 The log file seems to indicate that splunk was quite busy transferring files from the selected directory. Judging from the log, after about 30 minutes or so it appears to have settled down and I can now search the Event Log messages as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the splunkd log on the windows system for errors. It is probably best to restart splunk on the windows system, so you can see the inputs initialize in the log.
Also, if you run the restart from the cmd window then you see if there are errors in start up, but the cmd window must be "run as administrator" on w2k8.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
