Hello, I have some windows systems that I'm trying to send logs from via a universal forwarder, to a heavy forwarder. However, I am getting an error on the heavy forwarder:
WARN IndexerService - Received event for unconfigured/disabled/deleted index=testwineventlog with source="source::tcp:5513" host="host::*hostname*" sourcetype="sourcetype::tcp-raw". So far received events from 1 missing index(es).
On the universal forwarder, I have the inputs.conf configured:
[WinEventLog://Application] disabled = 0
interval = 60
evt_resolve_ad_obj = 0
evt_dc_name =
evt_dns_name =
index = testwineventlog
[WinEventLog://System] disabled = 0
interval = 60
evt_resolve_ad_obj = 0
evt_dc_name =
evt_dns_name =
index = testwineventlog
[WinEventLog://Security] disabled = 0
interval = 60
evt_resolve_ad_obj = 0
evt_dc_name =
evt_dns_name =
whitelist = 4624-4626,4634,4647-4649,4672-4674
index = testwineventlog
My outputs.conf file on the universal forwarder is:
[tcpout:hq]
server = *heavy forwarder hostname*:5513
I don't have indexing enabled on the heavy forwarder (no entry for it, it should default to disabled right?)
[default] host=*hostname*
[tcp:5514]
connection_host=dns
sourcetype=syslog
persistentQueueSize=1GB
index=hq
[tcp:5513]
connection_host=dns
persistentQueueSize=1GB
index=testwineventlog
Also, why am I seeing sourcetype raw? Doesn't the wineventlog input set that sourcetype on the universal forwarder? The heavy forwarder doesn't recognize it?
↧