Why does a Splunk 6.2.x or 6.3.x Universal Forwarder on Windows 2012 generate...
We have noticed that Splunk Universal Forwarder (version does not appear to matter, 6.2.x or 6.3.x) on Windows 2012 seems to cause an excessive number of starts and stops of the WMI service (indicated...
View ArticleHow to set time interval on a universal forwarder to check a specific file in...
Hi, I have one application at my company which logs only once a day. It hereby overwrites the file of the day before. How can I tell the universal forwarder to grab a specific file only once a day? I...
View ArticleHow to migrate universal forwarders from one Splunk environment to another?
Hi, I have a Splunk environment with about 35 universal forwarders that are managed by a deployment server. Recently I installed a new & bigger environment. I looked up how to create an app on my...
View ArticleHow to configure a universal forwarder to receive syslog messages, and then...
Trying to figure out how to receive syslog messages sent to port 6514 over TLS on a Splunk universal forwarder, and then forward those syslog messages on to Splunk Enterprise on another server.
View ArticleMy Splunk 6.3.2 universal forwarder is connecting, but why am I seeing "Could...
Hi, I have a UFW running 6.3.2, and I'm seeing the following in my logs on a regular basis. I'm also being told that data is missing... 01-20-2016 21:35:00.859 -0500 INFO TailReader - Continuing......
View ArticleUniversal Forwarder folder path monitor
What stanza do i set in the Universal Forwarder to send data to the indexers from a folder path? I want to send output from "/var/log/file.log" to the indexers in a new index called "IndexA".
View ArticleHow to create a Non Administrative User Account to run universal forwarders...
Hi All, I need to install a Universal forwarder in our environment, but due to strict policies, we cannot give the user it runs with administrative rights. Could you please give me a list of minimum...
View ArticleHow to troubleshoot why my universal forwarder is not phoning home?
I installed my universal forwarder on an Ubuntu server. I have successfully established a connection to my Splunk Enterprise server (netstat). And as I continue pinging my Splunk server from my...
View ArticleHow to configure a universal forwarder on Windows to send data to another...
I already installed the universal forwarder on a Windows system. What I would like to do is get the data into another Windows system from the forwarder, but I can't figure this out, so please help me....
View ArticleIs this the correct stanza and location to monitor specific files on a *nix...
I am trying to have my universal forwarder monitor a specific file or sets of files on a *nix server: Would this be the correct stanza to place into my outputs.conf file location?:...
View ArticleCan someone help me understand how protocols, permissions, and communication...
1. Protocols, I am assuming that everything is running on TCP, but perhaps UDP is required as well 2. Permission, there is no mention on permission set for the Splunk Universal forwarder. This should...
View ArticleMoving to a least privileged model for service accounts, what permissions are...
We are moving to a least privileged model for service accounts and I have to ask the question of what permissions Splunk needs for the following: What permissions will be needed for WMI collections?...
View ArticleSplunk for Snort: How to configure a universal forwarder to monitor Snort...
I have successfully installed my universal forwarder and has a connection to Splunk. Though I am getting data (not sure if its my snort logs) in source=_internal with a host = bss (which is my host...
View ArticleIs it possible to configure an app in Splunk to overwrite the hostname in...
Hi all, New to Splunk here. I have configured 100 servers to send syslog data. I did this by using puppet to install the universal forwarder, and set a deployment server address to my Splunk server,...
View ArticleWhy am I unable to see the Splunk Universal Forwarder from the Splunk Cloud...
I'm unable to see Splunk Universal Forwarder from Splunk Cloud trial. I'm trying Splunk Cloud and I have installed the Splunk Universal Forwarder in one of the client's DEV servers. Ports were also...
View ArticleAfter updating our universal forwarders from Splunk 6.1.2 to 6.2.8, why is...
After updating our universal forwarders from 6.1.2 to 6.2.8 Windows Security logs are coming in without the Account_Name field populated. The SID is populated but that isn't nearly as useful as the...
View ArticleHow to configure a Splunk universal forwarder and receiver on Windows?
Can you please help me in detail with configuring the Splunk universal forwarder and receiver on Windows? I would like to get the data from a forwarder to another Windows system (receiver).
View ArticleSplunk App for Windows Infrastructure: Should the splunk-powershell.exe...
**Splunk Enterprise 6.3 on Windows 2012r2 Windows Universal forwarder also 6.3 on Windows 2012r2** I have deployed the latest versions (as of January 2016) of the Splunk Windows Infrastructure app...
View ArticleWhy are no events being indexed for files being monitored on a universal...
Hi, I am trying to enable file monitoring using a Splunk universal forwarder, but not able to see any events generated. I've followed other articles for this issue, but in vain. As a test, I created a...
View ArticleHow do I configure custom sourcetypes on Universal Forwarders and Indexers
I have two Linux VMs set up, one with a Universal Forwarder and one with an Indexer. I have a script that generates dummy data (on the forwarder) that needs a custom sourcetype set up in order to parse...
View Article