https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705047#M20901 <P>Look at the local splunkd.log file to see any connection attempts to the destination IP.</P> Fri, 22 Nov 2024 15:04:29 GMT dural_yyz 2024-11-22T15:04:29Z https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705025#M20893 <P>Hello everyone! I need help/hint: I tried to set up log forwarding from MacOS (ARM) to Splunk, but the logs never arrived. I followed the instructions from this <A href="https://youtu.be/rs6q28xUd-o?si=1fkEZEo-1m2xmx8s" target="_self">video</A>, and also installed and configured Add-on for Unix and Linux. And what index will they appear in? Thanks!</P><P class=""><SPAN class="">Inside /Applications/SplunkForwarder</SPAN><SPAN class="">/etc/system/local i have:&nbsp;</SPAN><SPAN class="">inputs.conf, outputs.conf, server.conf.</SPAN></P><P class=""><SPAN class="">inputs.conf</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">[monitor:///var/log/system.log] disabled = 0</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P class=""><SPAN class="">outputs.conf<BR /></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">[tcpout:default-autolb-group] server = ip:9997 compressed = true [tcpout-server://ip:9997]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P class=""><SPAN class="">server.conf</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">[general] serverName = pass4SymmKey = [sslConfig] sslPassword = [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 22 Nov 2024 22:58:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705025#M20893 user487596 2024-11-22T22:58:25Z https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705047#M20901 <P>Look at the local splunkd.log file to see any connection attempts to the destination IP.</P> Fri, 22 Nov 2024 15:04:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705047#M20901 dural_yyz 2024-11-22T15:04:29Z https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705049#M20902 <P class=""><SPAN class="">WARN<SPAN class="">&nbsp; </SPAN>TcpOutputProc [22637 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=ip&nbsp;</SPAN><SPAN class="">inside output group default-autolb-group from host_src=&nbsp;</SPAN><SPAN class="">has been blocked for blocked_seconds=16061. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.</SPAN></P><P class=""><SPAN class="">ERROR TcpOutputFd [22638 TcpOutEloop] - Read error. Connection reset by peer</SPAN></P><P class=""><SPAN class="">It turns out there is no network interaction between the workstation and the splunk?</SPAN></P> Fri, 22 Nov 2024 15:08:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705049#M20902 user487596 2024-11-22T15:08:45Z https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705058#M20905 <P>Here we go.&nbsp; So this could be network transmissions so check for firewall blocks and any routing issues first.&nbsp; Then look into SSL connection issues last.</P> Fri, 22 Nov 2024 15:43:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/macOS-Universal-Forwarder/m-p/705058#M20905 dural_yyz 2024-11-22T15:43:31Z