Well! i have configured my suplunk server to accept logs on 9997 from remote. And i have configure my universal forwarder to forward logs to my splunk server to 9997 port.
My output.conf file is as:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.71.250:9997
[tcpout-server://10.0.71.250:9997]
and my input.conf is as:
[default]
host = splunk1-PC
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog:Application]
disable = false
[WinEventLog:Security]
disable = false
[WinEventLog:System]
disable = false
By doing netstat -n to my splunk server and windows system [universal forwarder] is can see this vice versa
Local Address Foreign Address State
10.0.70.70:51137 10.0.71.250:9997 ESTABLISHED
apache logs are coming from the windows system[universal forwarder] but windows events are not. I am unable to find the exact problem. Kindly help!!
↧