https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58312#M11461 <P>I've been trying to set up a universal forwarder to send to Splunk, and it doesn't appear to want to connect. Here's my current outputs.conf:</P> <PRE><CODE>[tcpout] defaultGroup = 172.31.**.**_9997 [tcpout:172.31.**.**_9997] server = 172.31.**.**:9997 [tcpout-server://172.31.**.**:9997] compressed = false indexAndForward = false sslCertPath = /opt/splunkforwarder/etc/auth/server.pem sslPassword = $1$Ljp9kArNr5Od sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem sslVerifyServerCert = false </CODE></PRE> <P>And this is what I get when I list forward-server:</P> <PRE><CODE>Active forwards: None Configured but inactive forwards: 172.31.**.**:9997 (ssl) </CODE></PRE> <P>My receiver is set up, receives data from other forwarders per our security guy. Any suggestions? We found a firewall issue yesterday, so that got removed. Now our firewall is showing the packets going out. Not sure if I just need to restart our Splunk server, or what. Security guy doesn't want to do that though as we currently have other forwarders sending info to it. </P> Thu, 26 Jan 2012 13:58:26 GMT cmaxfield 2012-01-26T13:58:26Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58312#M11461 <P>I've been trying to set up a universal forwarder to send to Splunk, and it doesn't appear to want to connect. Here's my current outputs.conf:</P> <PRE><CODE>[tcpout] defaultGroup = 172.31.**.**_9997 [tcpout:172.31.**.**_9997] server = 172.31.**.**:9997 [tcpout-server://172.31.**.**:9997] compressed = false indexAndForward = false sslCertPath = /opt/splunkforwarder/etc/auth/server.pem sslPassword = $1$Ljp9kArNr5Od sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem sslVerifyServerCert = false </CODE></PRE> <P>And this is what I get when I list forward-server:</P> <PRE><CODE>Active forwards: None Configured but inactive forwards: 172.31.**.**:9997 (ssl) </CODE></PRE> <P>My receiver is set up, receives data from other forwarders per our security guy. Any suggestions? We found a firewall issue yesterday, so that got removed. Now our firewall is showing the packets going out. Not sure if I just need to restart our Splunk server, or what. Security guy doesn't want to do that though as we currently have other forwarders sending info to it. </P> Thu, 26 Jan 2012 13:58:26 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58312#M11461 cmaxfield 2012-01-26T13:58:26Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58313#M11462 <P>If the other data coming into the Splunk server is sent from other forwarders, you could probably restart the server without problem, the forwarders will notice that the server is down and continue sending when it's up again.</P> <P>If your Splunk server also receives syslog data (over UDP) you will lose data during a restart, as the sending party will have no way of knowing that the data got lost.</P> Thu, 26 Jan 2012 14:25:05 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58313#M11462 kristian_kolb 2012-01-26T14:25:05Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58314#M11463 <P>I don't know what the data is, whether it's UDP vs TCP. Which is why I don't want to shut it off while he's on vacation. If I absolutely need to, then I will. But would rather do whatever I can to the forwarder first to be 115% certain it's not that.</P> Thu, 26 Jan 2012 14:46:10 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58314#M11463 cmaxfield 2012-01-26T14:46:10Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58315#M11464 <P>cm</P> <P>You won't lose any data if you restart the server or splunkd because the syslog will still be present on the local system (or switch etc.) that is sending it and you can always pull it from there.</P> Wed, 23 Jan 2013 16:44:37 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-not-connecting/m-p/58315#M11464 mship 2013-01-23T16:44:37Z