I am trying to setup my splunk enterprise 6.6.1 to be able to injest windows logs from remote pc's but not having much luck. I know I am missing something, or not comprehending something, but can't figure it out.
So far, I have configured the receiver on my indexer as TCP port 9997. I have installed the windows universal forwarder v. 7.0.0 on the windows PC i want to collect the logs from. I have enabled to collect both the system and application logs. I am seeing the following in my splunkd log file on the client where the universal forwarder is installed:
09-29-2017 08:58:23.417 -0400 INFO TcpOutputProc - Connected to idx=10.0.103.210:9997, pset=0, reuse=0.
09-29-2017 08:58:59.026 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.1.211.25_8089_bens-testbox.patientfirst.com_BENS-TESTBOX_FC09E8A3-4F3E-4CCC-BF5B-8C3D6884D2C4
09-29-2017 08:59:59.040 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.1.211.25_8089_bens-testbox.patientfirst.com_BENS-TESTBOX_FC09E8A3-4F3E-4CCC-BF5B-8C3D6884D2C4
I have the following in my inputs config on the universal forwarder client:
[default]
host = BENS-TESTBOX
# Windows platform specific input processor.
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 1
[WinEventLog://System]
disabled = 0
I then have the following in my Splunk Enterprise inputs config file:
[default]
host = splunk1
[splunktcp://9997]
connection_host = none
disabled=0
When I try and do a search though my search head (currently my setup is a single indexer with a single separate search head) for host: #ipofclientpc, I don't get anything.
I have not setup a data input, which i think is my issue, but can't figure out the correct process to configure that to pull/receive from the forwarder.
If anyone can help, i would be most appreciative.
↧