https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56801#M11065 <P>Well, you could check the following things;</P> <P>Is there even a network connection between the two machines?<BR /> open up a CMD prompt and type <CODE>netstat -an | find "ESTABLISHED"</CODE><BR /> If there is no connection between the machines you may have a firewall issue</P> <P>Check the <CODE>splunkd.log</CODE> for errors (located in <CODE>/opt/splunk/var/log/splunk</CODE> on <CODE>*</CODE>nix, and in <CODE>c:\program files\splunk[universalforwarder]\var\log\splunk</CODE> on win<CODE>*</CODE> - unless you've changed install locations). </P> <P>Check to see if you have configured monitoring correctly. On the forwarding end, type <CODE>splunk list monitor</CODE> at the command line. Ensure that you have gotten your (back)slashes in correctly in your monitor stanzas.</P> <P>If neither of these things will help you to get this going, please supply the outputs.conf from the forwarder, and the inputs.conf from both machines. Depending on how you configured Splunk, these are most likely located in <CODE>/splunk/etc/apps/search</CODE>, <CODE>splunk/etc/apps/launcher</CODE> or <CODE>/splunk/etc/system/local</CODE>. You should have more than on instance of each file on both machines.</P> <P>Hope this helps,</P> <P>Kristian</P> Wed, 25 Jan 2012 09:42:33 GMT kristian_kolb 2012-01-25T09:42:33Z https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56800#M11064 <P>So, I've installed and configured the Splunk forward on my Intranet Server. I'm trying to get the IIS logs from <CODE>\Windows\Syste32\LogFiles\W3SVC</CODE> folder. I think that I've configured it properly and have set up the receiving in Manager. Is there anything else on the reciever that I need to set up? I'm not getting any files. How can I test to see if the Intranet Server is even sending the Data?</P> Tue, 24 Jan 2012 18:49:01 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56800#M11064 bherbert 2012-01-24T18:49:01Z https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56801#M11065 <P>Well, you could check the following things;</P> <P>Is there even a network connection between the two machines?<BR /> open up a CMD prompt and type <CODE>netstat -an | find "ESTABLISHED"</CODE><BR /> If there is no connection between the machines you may have a firewall issue</P> <P>Check the <CODE>splunkd.log</CODE> for errors (located in <CODE>/opt/splunk/var/log/splunk</CODE> on <CODE>*</CODE>nix, and in <CODE>c:\program files\splunk[universalforwarder]\var\log\splunk</CODE> on win<CODE>*</CODE> - unless you've changed install locations). </P> <P>Check to see if you have configured monitoring correctly. On the forwarding end, type <CODE>splunk list monitor</CODE> at the command line. Ensure that you have gotten your (back)slashes in correctly in your monitor stanzas.</P> <P>If neither of these things will help you to get this going, please supply the outputs.conf from the forwarder, and the inputs.conf from both machines. Depending on how you configured Splunk, these are most likely located in <CODE>/splunk/etc/apps/search</CODE>, <CODE>splunk/etc/apps/launcher</CODE> or <CODE>/splunk/etc/system/local</CODE>. You should have more than on instance of each file on both machines.</P> <P>Hope this helps,</P> <P>Kristian</P> Wed, 25 Jan 2012 09:42:33 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56801#M11065 kristian_kolb 2012-01-25T09:42:33Z https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56802#M11066 <P>01-25-2012 12:24:56.633 -0500 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected<BR /> 01-25-2012 12:25:04.821 -0500 WARN TcpOutputProc - Cooked connection to ip=10.0.50.87:9997 timed out</P> <P>Looking at the Event Viewer on the Reciever it appears the local firewall is blocking the packets from the forwarder. I assume I'll need to add an exception to the firewall but, what exactly do I need to add? Doesn't appear its using the same port everytime. Suggestions?</P> Wed, 25 Jan 2012 17:59:57 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56802#M11066 bherbert 2012-01-25T17:59:57Z https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56803#M11067 <P>Well, I'm not too familiar with configuring <INSERT your="" fw="" here="">. As for ports, the splunk indexer (receiver) is using the same port all the time, unless you have made an advanced configuration. Most people tend to use port 9997 for log transport. If your indexer is also a Deployment Server, you want to allow traffic from your forwarder to port 8089 (default) on the server.</INSERT></P> Thu, 26 Jan 2012 16:12:42 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-up-Forwarder-and-Testing/m-p/56803#M11067 kristian_kolb 2012-01-26T16:12:42Z