Hi Everyone,
I am testing universal forwarding in our testing environment and also installed universal forwarder in one of windows server, but can't get the desire logs.
My test environment included Splunk Enterprise OVA as server and Windows server (with universal forwarder installed) which is client. I had used the "deployment server" command(set deploy-poll) and then restart.
On Splunk OVA enterprise server
Added forwarder input using Settings -> "Data Inputs" -> "Forwarded Inputs" -> "Windows Event Logs"-> New (could see my desired deployment client in the list). Selected Application, security & system events.
Tested:
1. I had check the Eventviewer logs; there logs are generating
2. Check the Tcp dump; there is also logs are coming from the windows server.
Also I am geeting Messages:
- Skipped indexing of internal audits event will keep dropping events until indexer congestion is remedied.check disk space and other issues that may cause indexer to block.
- Forwarding the indexer group default-autolb-group blocked for 10 seconds.
↧