Hello, We have a single instance splunk deployment. I have installed Universal Forwarder on an Win 2012 R2 Active Directory DC. Upon checking / searching for the events in Splunk Search UI, i noticed it shows 2 different host names for the same DC server. Screenshot below. How to resolve this ? If i click on the 1st host "LAN-AD', it shows events related to CPU, Memory monitoring whereas if i click on the other one, this shows events related to Security Events, Application Event log etc.
![alt text][1]
[1]: /storage/temp/252190-capture.jpg
↧
Windows Universal forwarder shows 2 host names for the same server
↧
How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders?
Hi:
I'm using Splunk in a Mac OS X system. I've installed Universal Forwarders in several Windows Machines. I 've used the installer's GUI for the forwarders, customised the options to monitor a folder and data IS getting into Splunk Server. But when I check the Universal Forwarders etc/system/local/inputs.conf file I only see 2 lines [Default] and Host name. Nothing there about the directory I'm supposed to monitor in the server. As I've said, data IS getting into the server, but I get the "no source type for this job" error when trying to extract fields. So I was wondering if should I trust the GUI to add a Data Input for a Directory in the managed forwarders (they also show OK in the Server's console), or just tweak the inputs.conf file locally in each forwarder to add the source type field there.
If I add a data input in the server GUI, is that configuration written anywhere in the remote universal forwarder ?
Thanks!
↧
↧
Upgrading Splunk Universal Forwarder from 6.4.3 to 7.2.1
Hi. We are running Splunk Enterprise 6.4.3, and our Universal Forwarders are running the same version. We'll be upgrading to Splunk Enterprise to 7.2.1, which I understand involves a hop to 6.5, then an upgrade to 7.1.x.
We want to upgrade our Universal Forwarders as well. Does upgrading the forwarders from 6.4.3 -> 7.1.x also require the extra hop? Or can they go from straight from 6.4.3 to 7.2.1?
Thanks!
↧
How to blacklist events for a specific event code and task category?
Trying to blacklist specific windows event logs based on event code and task category, but doesn't work .
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = winevents
renderXml=false
blacklist1=EventCode="5145" TaskCategory="(Detailed File Share|File Share)"
Example event -
07/13/2018 11:22:01 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5140
EventType=0
Type=Information
ComputerName=SomeServer
TaskCategory=File Share
OpCode=Info
RecordNumber=5487448804
Keywords=Audit Success
Message=A network share object was accessed.
Subject:
Security ID: S-1-5-21-xxxxxxxxx-xxxxxx-xxxxxx-xxxx
Account Name: cz9_rmc_s3_CIFS$
Account Domain: domain
Logon ID: 0x3D9AC95C1
Network Information:
Object Type: File
Source Address: 10.xxx.xx.xxx
Source Port: 45088
Share Information:
Share Name: \\*\IPC$
Share Path:
Access Request Information:
Access Mask: 0x1
Accesses: ReadData (or ListDirectory)
↧
Why am I not seeing custom logs using the universal forwarder?
I am using the UF to try and collect logs from a custom windows application. Below is my inputs.conf stanza. How I am not seeing the logs. How can I see if they are getting collected and how can see if they are getting to the indexer?
[WinEventLog://Quest File Access Audit]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
↧
↧
Can you simply delete the 6.4.3 forwarder and installing the 7.2.1 forwarder?
Hi. We are running Splunk Enterprise 6.4.3, and our Universal Forwarders are running the same version. We'll be upgrading to Splunk Enterprise to 7.2.1, which I understand involves a hop to 6.5, then an upgrade to 7.1.x.
We want to upgrade our Universal Forwarders as well. Does upgrading the forwarders from 6.4.3 -> 7.1.x also require the extra hop? Or can they go from straight from 6.4.3 to 7.2.1?
Thanks!
↧
Renaming index for data coming from universal forwarder
We have data coming from lots of universal forwarders and it has various sources and sourcetypes and sending data only to a single index.
we don't have access to inputs.conf.
How can we redirect the data to a different index.
Can we use transforms.conf to work on that particular index (i,e changing index name for data based only on existing index )
↧
What is the job of the universal forwarder in Splunk App for Windows Infrastructure?
Hi All, As a newbie i have a question regarding App for Windows Infrastructure. We have a single instance of Splunk Enterprise on Linux. I have gone thru other threads on this subject before asking this Q. Based on its documentation as shown in the image, it says the app collects data from Windows systems using "Splunk Add-on for Windows" & from Active Directory using "Splunk Add-on for AD". My question is where does then the" Universal forwarder" that gets deployed on the servers come into picture then if the "Add-on" components are doing the same job ? What is the point of installing UF then ?
Their doc also mentions to install Universal forwarder on windows systems that we want to monitor. I see that as redundant then, unless someone can pls clarify its use in this scenario. I need to monitor active directory in our environment and i am tempted to use this App for Infrastructure . How do you guys use this in your environment ? Does it work along side UF or does it work in place of UF ?
![alt text][1]
Neeraj
[1]: /storage/temp/252233-capture.jpg
↧
Why does clustering always appear as a repeat phenomenon without a reason?
hello, I have a strange question, This question is described as a bit rough.
I have a single site cluster that contains 5 indexers, 4 search heads, a deploye, a cluster master, some deployment servers, some heavy forwarders, and some universal forwarders. The deployment server also acts as the role of a heavy forwarder.
The search factor of indexer clustering is 2 and replication factor is 3. Universal forwarder monitor log files then forward to HF, then hf forward it to indexers cluster.
Strange things always happen unreasonably. When the cluster is running for a period of time, some sourcetype event will be duplicated, Sometimes, each event is repeated 5 times. if I restart heavy forwarders. The repetition of the phenomenon will disappear. The whole cluster will return to normal but sometimes I need to restart their universal forwarder for it to work.
Some soucetype events have been duplicate again and I will need to restart HF OR UF to return to normal state.
I tried to find out the reason from the indexer's splunkd.log, but I didn't find any clues.
I think index replication has a problem but I couldn't find any error logs. Why does it return to normal when I restart HF or UF?
↧
↧
Powershell script not running on schedule
I'm running 2 powershell scripts on an Universal Forwarder version 7.0.1 to get all the users and systems from the AD, I want them to run everyday at 12 am. I have the powershell add-on on the universal forwarder.
For some reason the scripts are not running everyday, sometimes it works and sometimes it won't, usually after a restart it runs once and then the next day it's not running again.
Their inputs in inputs.conf are:
[powershell://Active-Directory]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\systems.ps1"
schedule = 0 0 0 * * *
index = something
[powershell://Users]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\users.ps1"
schedule = 0 0 0 * * *
index = something2
I can't find anything helpful in the logs or online.
Thanks in advance.
↧
Get lost data into UF from the last disabled/turned off time automatically
Hi, I have new scenario.
I installed Universal Forwarder in a server where i get other server_logs in a folder. Whenever I turned off my server, the UF is also getting turned off. After restarting my server, the Universal forwarder is running perfectly and getting data from the server from the turned on time. When server turned on it's getting off-time data in the server automatically. I want to get the off-time data into Universal Forwarder automatically from the server.
I have one thought that, whenever I turned on UF, it should crosscheck the last disable time then the UF automatically get data from the disable time. Is it possible to set in UF configurations?
↧
splunk universal forwerder to splunk enterprise with configured HEC (all on centos 7)
Hello ,
i have spent couple of days to reach some proper loggin to HEC on my enterprise splunk but cant handle it.
I have configured also splunk app for infrastructure and i have added the host to be monitored . The logs are send to one of the HEC which is configured for em_metrics but i want to add additinal configuration on the universal forwarder to monitor some logs.
I can collect logs but over the splunk`s input on 9997/tcp . I want to reach it over the additianal HEC which i already have created on the enterprise instance.
Can you give me some example how to configure proper inputs.conf and outputs.conf to be send to my HEC.
↧
Splunk App for Infrastructure - forwarder issue
Hi,
I've installed splunk app for Infrastructure on my local PC with Windows10 and want to collect local metrics and logs in this app.
When I configure my local pc as entity I get to a point where a can copy/paste a script in powershell.
When I do so a get:
[*] Install Splunk Universal Forwarder on localhost
[*] indexer server: localhost:9997
[*] checking for previous installations of splunk>...
[!] install directory already exists. continuing to congure ..
Test-Connection : Testing connection to computer 'KR9162NBN' failed: Unknown error (0x2b2a)
At C:\WINDOWS\system32\install_uf_script.ps1:174 char:12
+ $ip_info = Test-Connection -ComputerName $env:computername -count 1 | ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (KR9162NBN:String) [Test-Connection], PingException
+ FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Commands.TestConnectionCommand
[*] configuring metrics & log inputs...
[*] Restarting splunk> universal fowarder
SplunkForwarder: Stopped
Splunk> Needle. Haystack. Found.
Checking prerequisites...
Checking mgmt port [8090]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-7.1.2-a0c72a66db66-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
SplunkForwarder: Starting (pid 22324)
Done
[*] splunk> successfully started.
[*] running clean up.
[*] clean up complete. Exiting...
I previusly had installed a forwarder, so the script uses the existing one, and tries to configure it to sens metrics and logs, but I get the above error and no entity is shown in the App.
When I look at Monitoring Console -> Forwarders I see that the forwarder is up and runing.
Tried to uninstal and reinstal the forwarder - same issue.
Any ideas? Thanks in advance.
↧
↧
splunk-regmon causes errror when UF with non-privileged user
Hi all,
I'm currently doing some tests with UF on Windows 10 hosts. Unfortunately I'm getting an error I was not able to get rid off yet.
When running UF as an user account that is part of the Administrators group, everything is running fine. As we do not want to run the process with full administrative rights, I created a local user "splunk" and gave it the following rights:
- full control over UF directory
- Permission to log on as a service.
- Permission to log on as a batch job.
- Permission to replace a process-level token.
- Permission to act as part of the operating system.
- Permission to bypass traverse checking.
(source: http://docs.splunk.com/Documentation/Splunk/6.6.3/Installation/ChoosetheuserSplunkshouldrunas)
With the non-privileged settings I do get the following messages in splunkd.log with WinRegMon inputs enabled:
07-30-2018 14:50:26.985 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - manageDriver Open SC Manager failed! Error = 5
07-30-2018 14:50:26.985 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - WinRegistryMonitor::StartDriver: Unable to install driver.
Accordingly, I do net get any data from source WinRegMon.
The same configuration seems to be working fine on Windows 7. Anyone had the same issues yet? Tested versions are UF 6.6.3 and UF 7.1.1
↧
How to get lost data into UF from the last disabled/turned off time automatically
Hi, I have new scenario.
I installed Universal Forwarder in a server where i get other server_logs in a folder. Whenever I turned off my server, the UF is also getting turned off. After restarting my server, the Universal forwarder is running perfectly and getting data from the server from the turned on time. When server turned on it's getting off-time data in the server automatically. I want to get the off-time data into Universal Forwarder automatically from the server.
I have one thought that, whenever I turned on UF, it should crosscheck the last disable time then the UF automatically get data from the disable time. Is it possible to set in UF configurations?
↧
In RSYSLOG configuration, how to get the UF to send the other log information to the relevant index in our single Splunk instance?
I am trying to see where I have gone wrong with my RSYSLOG configuration and forwarding information for SPLUNK. In our environment we are using SNARE on our end points which is sending the data to a RSYSLOG (Centos) box which runs SPLUNK UF. SPLUNK UF then sends to a single instance of SPLUNK. So far the communications are working. The endpoints are sending to the RSYSLOG box and the RSYSLOG box has been configured to pick up and log events based on a "content match". For example, data coming from "Windows-Security-Auditing" goes to a log file call "windowssecurityevents.log". Data from powershell goes to a log file called "powershell.log". This works fine
I have also configured the SPLUNK UF (inputs.conf) with the following:
[monitor://path/windowssecurityevents.log]
disabled = false
index = winsecevents
sourcetype = winsecevents_syslog
[monitor://path/powershell.log]
disabled = false
index = powershell
sourcetype = powershell_syslog
[monitor://path/OtherLog1.log]
disabled = false
index = OtherLog1
sourcetype = OtherLog1_syslog
[monitor://path/OtherLog2.log]
disabled = false
index = OtherLog2
sourcetype = OtherLog2_syslog
I also ran a command in CentOS to add the forward-server being "./splunk add forward-server 1.1.1.1:9997
I am only able to see logs for 1 log file. The other 3 are not showing in the seperate SPLUNK indexes that I have configured. The log files themselves are growing and I can see my data in RSYSLOG so the problem isn't there. I am trying to see what I need to do with the UF to get it to send the other log information to the relevant index in our single splunk instance.
↧
Is there a way to delete old log file in UF before start re-ingestion?
Hi, This is same scenario as my last question. I am getting data from a server where i have installed my UF. every night at 12 AM log file will generate with the date as mylog_yesterday_date.log. Sometimes i reboot the server, after rebooting the server, it's collecting all data from the shut down time.
Let's say I have shut down my server yesterday at 4:00 PM and rebooted today at 1:00 PM. After reboot the server it is collecting all data from shut down time (yesterday 4:00 PM) until reboot time (today 1:00 PM) and will continue gather data in real-time, this is happening in the server. When it's come to log creation, yesterday mid night log created as mylog_yesertday_date.log but the file has data until 4:00 PM because it has gathered until that time. This file is forwarding to Splunk. After rebooting server, it has full day data. Before i add this data to UF, currently i am deleting yesteday's half data and starting re-ingestion. Likewise I am getting data without data loss.
My question is, is there any way to delete the yesterday's half file data from UF automatically by comparing yesterday's log file last timestamp with the time 11:59 PM by writing scripts before start re-ingestion process? If so please let me know.
Thanks,
Chandana
↧
↧
6.1.4 UF to 7.1.2 indexer without SSL
We are upgrading our Splunk Indexer from 6.4.3 to 7.1.2 (via 6.5). Our forwarders are running a mixture of 6.2.4 and 6.4.3 and are NOT using SSL.
Then I noticed this compatibility matrix for the UFs: http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Compatibilitybetweenforwardersandindexers
If I read this correctly, does this mean we must enable/configure SSL on our 6.4.3 UFs before we upgrade? Or will we still be able to send data to the 7.1.2 indexer without SSL from the older UFs?
Thanks!
↧
Do we have to enable/configure SSL on our 6.4.3 UFs before we upgrade to 7.1.2?
We are upgrading our Splunk Indexer from 6.4.3 to 7.1.2 (via 6.5). Our forwarders are running a mixture of 6.2.4 and 6.4.3 and are NOT using SSL.
Then I noticed this compatibility matrix for the UFs: http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Compatibilitybetweenforwardersandindexers
If I read this correctly, does this mean we must enable/configure SSL on our 6.4.3 UFs before we upgrade? Or will we still be able to send data to the 7.1.2 indexer without SSL from the older UFs?
Thanks!
↧
How to check long splunk uf agents are down on particular servers?
Hi ,
We had list of servers a,b,c,d,e,f. How can we check how long splunk uf agents are down on the servers a,b,c,d,e,f? At present we restarted uf agents. I am looking for a query. Any help would be great. Thanks in advance :)
↧