Quantcast
Channel: Questions in topic: "universal-forwarder"
Viewing all 1551 articles
Browse latest View live

Splunk Universal Forwarder 6.5.2 -- 100% CPU Solaris

October 4, 2017, 8:19 am
$
0
0
Can someone help me in resolving the issue? Splunkd Universal Forwarder is taking 100% process. I am monitoring around 50 logs files and the data is not more than 30GB daily. For monitoring i am not having any wild characters and have given full path of log files.
Search

Accessing bash variables via a universal forwarder scripted input

October 5, 2017, 12:44 pm
$
0
0
When using a shell script on my splunk server I am able to access variables with no problem ie #!/bin/bash java -jar custom.jar -val $(date +%Y%m%d_%H%M) However, when using the same script with the Universal Forwarder as a .path file the it does not execute. Any suggestions on how to achieve this as a scripted input with the UF?

how is installing HF different from UF

October 6, 2017, 8:07 am
$
0
0
hi, we are currently monitoring windows security event logs across 3000 machines in our organization using UF's, these UF's forward data to a HF and the HF routes data to a Syslog server (for backup) and Splunk indexers. This all works fine so far, but we now have a requirement to forward the event logs that are stored in syslog to third party software/server and this is causing issues. Instead of going through all the pain of parsing these logs in rsyslog. we are planning to replace UF's with HF's on all these boxes and directly forward to indexer and syslog from the endpoint. The question here is , will installing HF's on 2-3 thousand endpoints cause any spike in performance or will it cause any remote management issues? Thanks in advance.

Will configuring a Universal forwarder to send the same logs to two different Splunk instances cause performance issues?

October 6, 2017, 8:45 am
$
0
0
Hi All, We are planning to configure a universal forwarder to send logs to two different Splunk instances i.e.to clone data. Configuration we are going to use is, In outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:indexer1] server=A.A.A.A:9997, B.B.B.B:9997 [tcpout:indexer2] server=C.C.C.C:9997 D.D.D.D:9997 In inputs.conf [default] _TCP_ROUTING = * I just need to confirm, but will this cause performance issues on the server where the UF is installed?

How can I identity forwarder data rate and index data rate (to identify a lag and prioritize logs)?

October 6, 2017, 11:09 am
$
0
0
Hi, Is there any way where we can identify how much data the forwarder is sending and how much data is being indexed in real-time? The problem is that I have a single forwarder that is sending data to a single indexer and its sending multiple logs i.e. 50 monitored files with different indexes. I am receiving data from a few indexes in real time whereas for some indexes I am having a lag, so I want to remove the lag and if possible give higher preferences to some logs file.

Can we install a universal forwarder on a 2016 Windows server with SCCM?

October 6, 2017, 12:20 pm
$
0
0
Is it possible to get a UF installed on a 2016 Windows server with sccm or do we have to use a chef recipe?

What are the differences between heavy forwarder and universal forwarder?

October 6, 2017, 8:07 am
$
0
0
hi, we are currently monitoring windows security event logs across 3000 machines in our organization using UF's, these UF's forward data to a HF and the HF routes data to a Syslog server (for backup) and Splunk indexers. This all works fine so far, but we now have a requirement to forward the event logs that are stored in syslog to third party software/server and this is causing issues. Instead of going through all the pain of parsing these logs in rsyslog. we are planning to replace UF's with HF's on all these boxes and directly forward to indexer and syslog from the endpoint. The question here is , will installing HF's on 2-3 thousand endpoints cause any spike in performance or will it cause any remote management issues? Thanks in advance.

Universal forwarder -- error message with pass4SymmKey

October 6, 2017, 3:42 pm
$
0
0
I am trying to add an app to forward some information to another set of indexers to a universal forwarder configuration managed by a deployment server and already talking to another set of indexers. There is nothing when I start the forwarder at the etc/system/local level I get an error discovering the new indexers 10-06-2017 18:33:45.629 -0400 ERROR IndexerDiscoveryHeartbeatThread - Error in Indexer Discovery communication. Verif y that the pass4SymmKey set under [indexer_discovery:splunkservers] in 'outputs.conf' matches the same setting under [indexer_discovery] in 'server.conf' on the Cluster Master. Although the error refers to a stanza that doesn't actually exist in my config, I have verified the key that I am using in the app as the correct pass4SymmKey for these indexers. However, when I start the forwarder, I see that a server.conf has been created automatically at the etc/system/local level and it contains a [general] stanza with a different pass4SymmKey as well as a [sslConfig] stanza with an sslPassword. I am wondering if this auto-created file is overriding my app configuration and how to troubleshoot this issue.
Search

How can I view scan logs from Windows Defender?

October 8, 2017, 7:19 pm
$
0
0
Hi, I have installed the SplunkUniversalForwarder and ave sucessfully got data into Splunk. However, i want to view the scan logs from Windows Defender, how should i search it on the search head? Thanks in advance!

Using same inputs.conf for multiple forwarders with different monitor paths

October 11, 2017, 3:24 am
$
0
0
I have a list of servers divided into different environments. I will be installing a Splunk Universal Forwarder on each server and targeting a Splunk Enterprise instance. I would like to create deployment apps on the enterprise instance, that will configure each environment. Is it possible to use just one deployment app and thereby one inputs.conf for each environment, where it will monitor a path based on the hostname? e.g. something like: `if($hostname == "a") [monitor://C:\LogFiles\A] elif ($hostname == "b") [monitor://C:\LogFiles\B] ` Or will I need to create seperate inputs.conf for each individual server? And thereby also having to create a new deployment application for each server? [possible duplicate][1] [edit]: not enough karma for posting link. [1]: https://answers.splunk.com/answers/521945/how-to-use-single-inputsconf-across-multiple-forwa.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

Logs from rsyslog server stopped indexing

October 11, 2017, 2:55 pm
$
0
0
My setup is FW, WAF and Web-proxy logs being pushed to my Rsyslog Fwd which has a UF installed to push to my indexers. So my logs that were coming from the Rsyslog server stopped mysteriously around 3am a few nights back, but the UF installed on that server is still sending out metrics logs but no firewall logs. I can't figure what the issue is. Whats even weirder is that all the logs didn't stop at one time but over a course of few hours, the logs had been coming in consistently for a few weeks now. And this new deployment had been running about a 4-5 weeks. There was a sharp increase in logs that came in the day of and after that the logging levels dropped to almost none with only the UF metrics getting indexed but no other logs. • Host OS: Red Hat Linux 7.3 • Syslog software used: rsyslogd 7.4.7 • Splunk Software used: Splunk Universal Forwarder 6.6.3 for Linux • Configuration changes to get syslog data from sources was done in /etc/rsyslog.d/rsyslog-splunk.conf. • Logrotation for syslog data was configured in /etc/logrotate.d/rsyslog-splunk Any ideas? ![alt text][1] [1]: /storage/temp/216783-capture.png

Unable to install Splunk Universal Forwarder on Windows Server 2003 (32-bit)

October 12, 2017, 12:19 am
$
0
0
Hello, I'm currently facing a problem on installing splunk universal forwarder on 1 of our windows server, the installer I'm using is **splunkforwarder-6.2.12-277845-x86-release** the OS version of the server is Windows Server 2003 32 bit. When I'm running the installer the installation wizard always ends up prematurely, I've also tried installing it via command line quietly but still has the same result, also tried installing it in low privilege mode and still has the same result. I'm pretty sure that I'm using an admin account. What could be the problem here? Thanks in advance. ![alt text][1] [1]: /storage/temp/216790-2.png Cheers, Dan

How to specify an index name in the docker instance of Splunk universal forwarder

October 13, 2017, 4:16 pm
$
0
0
I am trying to find a way to specify the index name to use when collecting data from a CSV file using the Splunk universal forwarder docker container. I have tried using SPLUNK_CMD environment variable and that does not seem to work. Any ideas how to provide the index name when starting the docker container?

Splunk universal forwarder not reporting data from SQL server

October 17, 2017, 7:36 am
$
0
0
Hi everyone , We have issue with Splunk universal forwarders , we installed recently on SQl servers , i have all inputs.conf and outputs.conf set correctly and there is no error in log data . but its no reporting logs in splunk. Ours is clustered search head pool with 2 search heads , 5 indexers and 5 heavy forwarders . we have forward management console , which generally phone-in to the universal forwarders by pushing some of the apps . In Past i have some other VM's which i faced the same issue , i reinstalled the universal forwarder agent which fixed the issue , but currently its not happening with these SQL servers . Thanks in advance

Deployment server only showing 1 client at a time

October 17, 2017, 12:09 pm
$
0
0
I have only a deployment server at the current time and to get ahead of the game we going to roll the UF to our windows servers as this can take months. My deployment server has no apps, so it is just the client reporting. I currently have configured 2 client but only 1 shows up at a time. If one is showing and I bounce the other client splunk service it will show but the other client disappears?
Search

Universal Forwarders are phoning home but the indexes are not populating

October 17, 2017, 2:26 pm
$
0
0
So while I was out, some Windows config changes were pushed to some Windows servers that had fully deployed UFs with deployed-apps. Prior to these windows changes, the servers were sending wineventlogs via UFs to the indexers without issue. Now the UFs are phoning home but I am not able to see any data since the time the windows changes took place. In fact, since the changes the indexes do not show when I run the following search AFTER the time of the changes, |tstats values(sourcetype) WHERE index=* by index The indexes do show up when I run the search BEFORE the time changes were made, which makes sense. It appears all windows related indexes are down, any advice on where to start troubleshooting? Thank you

Does Splunk have an official stance on distributing its binaries (eg, Forwarder) within an organization's infrastructure?

October 19, 2017, 8:25 am
$
0
0
This is related to the question [asked here](https://answers.splunk.com/answers/33933/is-there-a-yum-rpm-repo-for-splunk.html). Since Splunk refuses to make its universal forwarded available as a package in a repository that can be directly updated, we are forced to create a local repository and mirror (ie, via Spacewalk) to do this. Some people in our organization questioned the legality of this. The TOS only vaguely remarks on "distributing" the software, but some of us assume this is to others outside the organization. Does Splunk have an official stance on redistributing the Forwarder to computers within the organization that accepted the licensing agreements?

Splunk Universal Forwarder installing additional roles?

October 19, 2017, 9:46 am
$
0
0
I had installed the Universal Forwarder 6.5.1 a while back and set it to connect to a deployment server / Splunk instance. All I wanted it to do was be a forwarder. However, upon a Nessus scan of the host, I see that it also ahs the following server roles: deployment_client and license_master, as well as a web interface running on 8089. Is this a standard thing, or did I do something incorrectly? In add/remove programs it is showing installed as "UniversalForwarder". URL : https://windowshost.mydomain.com:8089/ Version : 6.5.1 License : Enterprise Management API : 1 Server Roles : - deployment_client - license_master - universal_forwarder

Why collect Syslog via universal forwarder vs sending to Splunk directly?

October 19, 2017, 2:35 am
$
0
0
Hi all, I've been reading quite a bit on syslog collection via a Splunk Universal Forwarder. In particular answer #28680.https://answers.splunk.com/answers/28680/index.html I understand the reasons behind using SUF or another syslog collector as opposed to sending to Splunk directly. I haven't, however, been able to figure out how to perform an approach such as: syslog device (rsyslog - linux client) -> SUF -> Splunk Can someone point me in the right direction? I apologize if this question has been answered before, but my google-fu isn't helping me. Thank you.

Splunk Universal Forwarder -- installing additional roles?

October 19, 2017, 9:46 am
$
0
0
I had installed the Universal Forwarder 6.5.1 a while back and set it to connect to a deployment server / Splunk instance. All I wanted it to do was be a forwarder. However, upon a Nessus scan of the host, I see that it also has the following server roles: deployment_client and license_master, as well as a web interface running on 8089. Is this a standard thing, or did I do something incorrectly? In add/remove programs it is showing installed as "UniversalForwarder". URL : https://windowshost.mydomain.com:8089/ Version : 6.5.1 License : Enterprise Management API : 1 Server Roles : - deployment_client - license_master - universal_forwarder
Viewing all 1551 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>