Hi all,
I've 3 Splunk 6.4.1 Indexers and a Splunk 6.4.1 Search Head + Distributed Management Console (DMC) on Linux Red Hat 6.6.
I've tested Windows Event Log in Windows 2008 R2 Domain Controller Servers in Preproduction environment with 1 Splunk 6.4.1 Indexer + Search Head + DMC, forwarded Event Logs all ok.
I've migrated Splunk Universal Forwarder (SUF) in Production from 5.0.2 to 6.4.3 with clean Installation (Uninstall SUF 5.0.2, Reboot Server and Reinstall SUF 6.4.3), and before with SUF 5.0.2 Windows Events was forwarded with no problem, after SUF Clean Upgrade to 6.4.3 I receive once following message:
> Received event for unconfigured/disabled/deleted index='wineventlog' with source='source::WinEventLog:Security' host='host::my-host' sourcetype='sourcetype::WinEventLog:System' (1 missing total)
and Event Logs stopped to be forwarded.
I haven't changed configuration on my Indexers and Search Head, below my configuration:
* $SPLUNK_HOME/etc/system/local/serverclass.conf
* List item
> [serverclass:domain_controller]> host = my-dc-host> [serverclass:domain_controller:app:domain_controller]
* $SPLUNK_HOME/etc/deployment-apps/domain_controller/default/inputs.conf> [WinEventLog://Security]> disabled = 0
(I've also tried to add "index = main" on bottom of above stanza with no results).
And other configurations to send logs globally from deployment clients to deployment server...
I've tried to uninstall and reinstall SUF 6.4.3, but no issue resolved, I've also read all Splunk Answers on same problem, but before SUF upgrade Windows Event Logs was Forwarded with no problem, and in Preproduction all works fine.
Any suggestion?
Regards.
↧