Hi there,
I have the following issue detected in our environment and I'm not sure where the problem comes from.
We have several Windows Server monitored with a heavy forwarder. The Event logs are grabbed remotely by WMI.
So far everything works as expected.
Now we have done a new installation of one Windows Server.
The Server has the same name and IP address. Only the OS has changed from Windows Server 2008 R2 to Windows Server 2012 R2.
If I do a wbemtest with the user on the Splunk heavy forwarder, the Splunk service is running, and I can see the events from the fresh installed server. So there are no permission or firewall issues between the forwarder and the Windows Server.
But I can't see any events from this server on the indexer.
Does someone has an idea what is going wrong or how I can figure out the problem?
For your information. I removed the configuration of the Windows Server on the forwarder, restarted the forwarder and add the Windows Server again and restarted the forwarder. Nothing happens.
I removed the index of the Windows Server from the indexer, restart the indexer and added the index again. Nothing happens.
Could it be possible that the Splunk forwarder stores Information of grabbed events in another file?
For any ideas I'll be very thankful.
[edit: it's a heavy forwarder not a universal one]
↧