topic Forward Data to Splunk Server in Deployment Architecture

Forward Data to Splunk Server

Kai191 — Tue, 19 Mar 2013 07:03:43 GMT

Hi, I am new to Splunk and I would like to ask how to send data over from the client PC over to my Splunk server, which is in a VM workStation. (I know it had to use a fowarder, but I just could't get my data to send over, and config, the receiver to using port 9997.(I am capturing tcp packet))

Re: Forward Data to Splunk Server

Ayn — Tue, 19 Mar 2013 08:36:15 GMT

Some more information could certainly help - where are you currently getting stuck?

Re: Forward Data to Splunk Server

Kai191 — Wed, 20 Mar 2013 02:13:40 GMT

I am currently stuck at unable to send data over to my splunk server.

Re: Forward Data to Splunk Server

vincesesto — Wed, 20 Mar 2013 02:52:46 GMT

Hey Kai191,
I think Ayn is trying to get some further information on your set up and what troubleshooting you have performed so far. Can you please do the following and provide the answers:
1. can you telnet from the forwarder to indexer on port 9997, eg; telnet 9997
2. Have you set up the /opt/splunkforwarder/etc/system/local/outputs.conf and print out the info
3. Can you please run a netstat to see if ports are listening on the index host, eg; netstat -tnap | grep 9997
4. Are you seeing any errors in the splunkd or metrics logs on the forwarder.

Regards Vince

Re: Forward Data to Splunk Server

Kai191 — Wed, 20 Mar 2013 07:05:18 GMT

Hi Vince,
1) I am unable to telnet.
2) I had set the file in the required path.
3) I used netstat -a it show 0.0.0.0 9997 is listening (is it correct?)
4) how do i see the splunkd or metric log?
I am just a beginner in splunk, so your patience is much appreciated

Thanks in advance for the help.

Re: Forward Data to Splunk Server

ddarmand — Wed, 20 Mar 2013 07:34:22 GMT

Can you use the universal forwarder ?

Re: Forward Data to Splunk Server

Kai191 — Thu, 21 Mar 2013 05:39:23 GMT

I only installed the splunk forwarder

Re: Forward Data to Splunk Server

Ayn — Thu, 21 Mar 2013 07:19:49 GMT

That is likely the same thing.

Re: Forward Data to Splunk Server

vincesesto — Thu, 21 Mar 2013 22:10:35 GMT

Hey Kai191, with regard to the logs, if you are on the forwarder and you go to the following location, you will be able to see the log files:
/opt/splunkforwarder/var/log/splunk

Have a look through the splunkd logs...this should let you know if there are any connection issues with the forwarder connecting to the indexer

Re: Forward Data to Splunk Server

neelb — Tue, 28 Jan 2014 09:47:07 GMT

Hi,

I am new to splunk. I used splunk forwarder to forward data to splunk indexer(receiver). Can you please suggest how to check on the receiver that the data sent from the forwarder is indexed.

Thanks,
Neel

Re: Forward Data to Splunk Server

templier — Tue, 28 Jan 2014 09:56:55 GMT

Hello!

What operating system are you using?

Re: Forward Data to Splunk Server

neelb — Tue, 28 Jan 2014 10:00:55 GMT

i am using Fedora(linux).

Re: Forward Data to Splunk Server

templier — Tue, 28 Jan 2014 10:13:15 GMT

Ok, Fedora on server (indexer) and fedora on machines where it will be necessary to collect data?

First thing to do to set the port to transfer data on the server (indexer) go Settings-Forwarding and receiving-Receive data-Add new and add 9997 porn (
or other free open port).
After that go to the machine where you installed splunk forwarder (/opt/splunkforwarder/etc/system/) and edit outputs.conf

Re: Forward Data to Splunk Server

templier — Tue, 28 Jan 2014 10:13:19 GMT

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = Server (indexer) ip:9997

[tcpout-server://Server (indexer):9997]

In inputs.conf add directory where you need to take logs.

I use splunk for colleck snort logs from ubuntu and windows. If you want i can send you me config file as an example.

Re: Forward Data to Splunk Server

neelb — Tue, 28 Jan 2014 10:23:02 GMT

In output.conf the setting is already done. I set previously. Please send the input.conf so that I can configure it.
I already added a path to splunkforwarder to monitor using the following command:

./splunk add monitor

how can i understand that is data is sent to the indexer. And indexer is really receiving the data.

Re: Forward Data to Splunk Server

templier — Mon, 28 Sep 2020 15:44:23 GMT

Example my inputs.conf from one of computer:
[default] host = hostname

[monitor:///var/log/Snort_log]
disabled = false
sourcetype = snort_alert_full
index = snort

For test you can specify the directory with the syslogs and change sourcetype.

[monitor:///var/log/syslog.log] disabled = false sourcetype = syslog index = main
And restart.

In _internal index you can see information about the connection forwarder to server.
In search line enter index="_internal"

Re: Forward Data to Splunk Server

neelb — Tue, 28 Jan 2014 10:45:58 GMT

how can i understand that is data is sent to the indexer from forwarder ? And indexer is really receiving the data.