Forwarder only reads file if i save it, ignores when script saves it
Hello everyone, I have Splunk Universal Forwarder running on a server watching a few files for changes. Log data is inserted at the end of the files every 5 minutes or so. Up until a few days ago, all...
View ArticleSplunk Daemon and Solarwinds
Hi everyone, We are looking into the possibility of another way to monitor the Splunk universal forwarders on our servers, besides within the search head or deployment server. One idea raised was...
View ArticleDoes UF 7.2.8 is compatable with RHEL 8
Does UF 7.2.8 is compatable with RHEL 8 ? Please let me know the minimum version of the UF agent that is compatible with RHEL8.
View Articleunable to install universal forwarder windows 10
Every time i try to install the universal forwarder on a windows 10 64bit machine it ends prematurely immediately. When i check the event logs i see the Event ID's 1033 (with status code 1603) and...
View ArticleRaspberry Pi Universal Forwarder Bug Report for...
On a Raspberry Pi 3 armv7l GNU/Linux, `INDEXED_EXTRACTIONS=JSON` in the `props.conf` file results in unrecoverable JSON StreamId processing errors: `05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker...
View Articleuniversal forward different domain from where the Splunk is running
When installing the universal forward into a trusted domain, do I need to add account from domain A into domain B? The instructions for universal forward is saying a domain user account is needed so I...
View ArticleBlacklist Windows security event log with system account
I am trying to filter out noise before it is sent to the indexer. We were using Windows Event Forwarding previously, that was able to filter but now I am trying to create the same filter. I am...
View ArticleConfiguration file precedence on universal forwarder and indexer
Hi all, We set sourcetype in inputs.conf on universal forwarder, e.g. [monitor:///Firewall/*/*_pa_firewall.log] ignoreOlderThan=1d disabled = false host_segment = 2 index = network sourcetype = pan:log...
View ArticleMissing logs for eventcode 4776 (Windows TA installed on universal forwarder...
Hello, I'm able to receive almost all eventcodes for `wineventlog:security` but missing the logs for eventcode 4776 . I have the Windows TA app installed on the universal forwarder and search head. I...
View ArticleHow can we restrict computer owners from injecting more data into splunk?
How can we restrict computer owners from injecting more data into splunk?. We have around 1000 computers which reports to our splunk cloud through universal forwarders. Initially All the forwarders...
View ArticleUniversal Forwarder not reading user-seed.conf (version 7.2.6).
I have read other articles but haven't found an answer. I recently pushed the universal forwarder to Windows clients to upgrade from 6.5.1 to 7.2.6 and did not set the user password. The forwarder is...
View ArticleCan I configure the output.conf file via app deployment to enable encryption...
I am trying to enable encryption of the traffic from all of my universal forwarders to the indexer. Looks like this involves updating the `output.conf` file on the forwarder (makes sense). No big deal...
View ArticleHow to adjust timestamps for some sources coming from the universal forwarder?
I have a certain host that sends several logs from multiple sources using the Linux Universal Forwarder. Most of these logs are written in the host and then to Splunk as UTC although the host is...
View ArticleNot receiving data from universal forwarders when netstat shows domain...
Hi, I configured a Splunk enterprise indexer to monitor active directory. That worked without issues, it found my domain controllers right away. I also configured the `forwarders conf` file properly,...
View ArticleHow to limit heavy forwarder bandwidth in limits.conf?
Hello guys, is it possible to limit Heavy forwarders bandwidth like UF (setting [thruput] in `limits.conf` for forwarders)? Thanks.
View ArticleCan't determine universal forwarder service account
Hi, I've inherited a poorly documented splunk deployment that seems to have been misconfigured. the universal forwarder service isnt starting on workstations due to a logon issue. Either the password...
View ArticleWindows Universal Forwarder unable to read log files
Hi all, In our environment, we have several Windows UF managed by a deployment server. We didn´t apply any change on the forwarders, and some of them are unable to send some of the data to the...
View ArticleUniversal Forwarder error with Splunk Indexer (SSL)
So I have a Universal forwarder installed on a Windows system (v7.3.3) and I have it set up to communicate with my Splunk Enterprise server (v. 7.3.4). The Windows system has checked into Splunk, when...
View ArticleUniversal Forwarder on Windows: Errors with Splunk Indexer (SSL).
So I have a Universal forwarder installed on a Windows system (v7.3.3) and I have it set up to communicate with my Splunk Enterprise server (v. 7.3.4). The Windows system has checked into Splunk, when...
View ArticleFile/Directory Information Input App: Seeing error in the log (server has...
Hi, Just installed the app on a universal forwarder and getting this error in the log. Any idea what the issue is? Is there any configuration I need to edit other than inputs.conf? Thanks. Server has...
View Article