Missing logs for eventcode 4776 (Windows TA installed on universal forwarder...
Hello, I'm able to receive almost all eventcodes for `wineventlog:security` but missing the logs for eventcode 4776 . I have the Windows TA app installed on the universal forwarder and search head. I...
View ArticleHow can we restrict computer owners from injecting more data into splunk?
How can we restrict computer owners from injecting more data into splunk?. We have around 1000 computers which reports to our splunk cloud through universal forwarders. Initially All the forwarders...
View ArticleUniversal Forwarder not reading user-seed.conf (version 7.2.6).
I have read other articles but haven't found an answer. I recently pushed the universal forwarder to Windows clients to upgrade from 6.5.1 to 7.2.6 and did not set the user password. The forwarder is...
View ArticleCan I configure the output.conf file via app deployment to enable encryption...
I am trying to enable encryption of the traffic from all of my universal forwarders to the indexer. Looks like this involves updating the `output.conf` file on the forwarder (makes sense). No big deal...
View ArticleHow to adjust timestamps for some sources coming from the universal forwarder?
I have a certain host that sends several logs from multiple sources using the Linux Universal Forwarder. Most of these logs are written in the host and then to Splunk as UTC although the host is...
View ArticleNot receiving data from universal forwarders when netstat shows domain...
Hi, I configured a Splunk enterprise indexer to monitor active directory. That worked without issues, it found my domain controllers right away. I also configured the `forwarders conf` file properly,...
View ArticleHow to limit heavy forwarder bandwidth in limits.conf?
Hello guys, is it possible to limit Heavy forwarders bandwidth like UF (setting [thruput] in `limits.conf` for forwarders)? Thanks.
View ArticleCan't determine universal forwarder service account
Hi, I've inherited a poorly documented splunk deployment that seems to have been misconfigured. the universal forwarder service isnt starting on workstations due to a logon issue. Either the password...
View ArticleWindows Universal Forwarder unable to read log files
Hi all, In our environment, we have several Windows UF managed by a deployment server. We didn´t apply any change on the forwarders, and some of them are unable to send some of the data to the...
View ArticleUniversal Forwarder on Windows: Errors with Splunk Indexer (SSL).
So I have a Universal forwarder installed on a Windows system (v7.3.3) and I have it set up to communicate with my Splunk Enterprise server (v. 7.3.4). The Windows system has checked into Splunk, when...
View ArticleFile/Directory Information Input App: Seeing error in the log (server has...
Hi, Just installed the app on a universal forwarder and getting this error in the log. Any idea what the issue is? Is there any configuration I need to edit other than inputs.conf? Thanks. Server has...
View ArticleMicrosoft Windows TA Add-on: How to segregate desktops from universal...
Good Afternoon We are looking at a pilot project to use Splunk to help manage our desktop inventory using the Microsoft_windows_TA add-on and a universal forwarder installed on the desktops. The only...
View Article"Invalid key in stanza" - transforms.conf
On a universal forwarder version 7.3.4. I am seeing the following errors with btool checks during restart: Invalid key in stanza [force_sourcetype_for_cisco_asa] in...
View ArticleDo we need to assign domain admin for a service account for Universal forwarder
I am setting up universal forwarders to run using service account and in Splunk documentations...
View ArticleHow to encrypt traffic between universal forwarder and indexer (getting error...
I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am...
View ArticleHow to filter out specific events sent via Universal Forwarder?
I have one indexer that is receiving events from a remote Windows host via the Universal Forwarder. I am trying to filter out events that contain the string 'empty logger' in the log file...
View ArticleConfiguration of Universal forwarder sending log to Cluster master
Hello, I have configured our cluster master to receive log in certain port and also configured the cluster master to forward to two indexer nodes. Now we have universal forwarder installed in few...
View ArticleWhat script should I use to upgrade multiple universal forwarders on Linux?
Hi, I am looking to upgrade multiple universal forwarders installed on Linux OS at one go. Could you please help me with the script I should use and the detailed steps on how to use that script? Note:...
View ArticleHF data forwarding to 3rd party design validation
I have a requirement to push a subset of universal and heavy forwarders originating data to a third party, for which I enabled a set of HFs for data forwarding alone. This is working fine, as data...
View ArticleHow to resolve TailReader errors and data loss using universal forwarder (bug...
I've been dealing with this TailReader error for a while and was not able to fix it despite reading all answers and similar questions. I'm still experiencing data loss every day. As you can see in...
View Article