Linux Universal Forwarder - Security Recommendations
Hello Splunk-Community, for month we are discussing with our Linux admins, if it is ok to install Splunk Universal Forwarder on Linux (Red Hat) or not. We just want to collect Tomcat / Apache logs from...
View ArticleDeploying and updating Splunkbase apps using a deployment server?
I'm running Splunk for Enterprise 7.3.0 on Ubuntu 18.04 doing a demo deployment with a sales trial license. It's a single instance deployment with only a handful of hosts, but the production deployment...
View ArticleWhat is the admin account for on a Universal Forwarder?
I have UFs on some "sensitive" servers and the owners - that did the install are questioning the purpose of the Admin account. I have just accepted the fact that all splunk nodes require credentials...
View ArticleDeploying and updating Splunkbase apps using a deployment server?
I'm running Splunk for Enterprise 7.3.0 on Ubuntu 18.04 doing a demo deployment with a sales trial license. It's a single instance deployment with only a handful of hosts, but the production deployment...
View ArticleUniversal Forwarder Stops sending data
Hi, We have a Universal Forwarder on our Linux rSyslog server. It was working fine until two weeks ago. The problem was it would stop sending data to the indexer, but showed no errors in the...
View ArticleCan multiple Splunk Universal Forwarders use same NAT IP for sending data to...
We have around 100 Universal Forwarders in a specific Office location A and another 50 Universal Forwarders in Office location B. We are trying to use a single NAT IP (192.168.10.20) for Office...
View ArticleUniversal Forwarder to report 2 Indexer
What is the best way to route security events to Security Indexers and rest of the sourcetypes to operational indexers? And Can we manage universal forwarder with 2 deployment servers?
View ArticleUniversal Forwarder - Tag or add identifier to data to distinguish environment
Hey everyone, Summary of the long post: On universal forwarders, I need to add some kind of identifier like a tag or metadata value to all data before it is sent to distinguish the environment it is...
View ArticleIs it possible to update the Splunk Universal Forwarder but not change...
I have some old versions of Splunk lying around and want to just do an update, not change the directory being monitored or anything else. How can I do that? The Sudplunk required items in the pillar...
View ArticleMonitor all remaining files not specifically matched
We have several syslog-ng collectors with UFs on them. The UF monitors the paths and files that syslog-ng generates that we point it to, but I know there are probably several systems sending syslog...
View ArticleMonitoring Registry via universal forwarder not working
Hi, I am trying to monitor a registry key from a remote server using a universal forwarder. No matter what i put in my inputs.conf, i just cannot get it to work. This is my inputs.conf:...
View ArticleHow to externally trigger a universal forwarder to send data to an indexer...
I have server "X" on which is installed a universal forwarder. Typically, I'd use the universal forwarder's cron functionality to trigger the execution of a PowerShell script. The PowerShell script...
View ArticleCannot see the data that is being forwarded/indexed in the Splunk web interface
Hi everyone, I am currently facing an issue which am not getting my head around it. I have installed the universal forward in win srv 2012r2 to send every log to Splunk server. However, In the Splunk...
View ArticleCan't see see a list of files that Splunk is currently monitoring
I want to list out the current data inputs, I ran the following command: C:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor Splunk prompted me for username and password, I entered my...
View ArticleHow to see a list of files that Splunk is currently monitoring?
I want to list out the current data inputs, I ran the following command: C:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor Splunk prompted me for username and password, I entered my...
View ArticleUpgrade UF package credential
Hi all, We are trying to upgrade UF package credential in our intermediate forwarders (including HFs). PFB steps which I followed: 1. Login to SH 2. Go to apps --> Universal Forwarder 3....
View Articleunivversal forwarder 7.3.1 install failing with no logging
i have used this script with previous versions with no issues msiexec.exe /i splunkforwarder-7.3.1-bd63e13aa157-x64-release.msi DEPLOYMENT_SERVER="mydeploymnetserver:8089" SPLUNKPASSWORD="mypassword"...
View ArticleUniversal Forwarder requires restart after registering new WinEventLog source
We are running a Universal Forwarder on our Windows servers which host several of our application. Each application logs to the same Windows Event Logbook, but use different sources to be able to...
View Articlenot getting internal logs from forwarder
Hello, We are not getting any internal logs from one of our forwarder but its phoning home. we can also add or delete an app through deployment server remotely. The forwarder is ingesting logs to one...
View ArticleHow to configure the universal forwarder to Heavy forwarder then to an Indexer?
Hi, Can someone help what are the step I need to do if I have below flow : Universal Forwarder ------- Heavy forwarder ------- Indexer And need help how to parse the traffic when the log will at heavy...
View Article