Connection error from Windows Heavy Forwarder

MasterOogway — Fri, 01 Oct 2010 22:13:33 GMT

I am trying to forward *.log files from a windows server to a linux index server. I get the WMI data to index; I get the correct files listed from "splunk list monitor", but I don't get the log files indexing from the output of "splunk list monitor" in question.

I have confirmed the windows server can connect to the index server:

# netstat -an | grep 9000 tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN
. . tcp 0 0 xx.xx.17.53:9000 xx.xx.16.83:36092 ESTABLISHED

And here is the output from the splunkd.log file:

10-01-2010 07:08:30.975 INFO TcpInputProc - Connection in cooked mode from xxx-xxx.com 10-01-2010 07:08:30.984 INFO TcpInputProc - Connection accepted from xxx-xxx.com 10-01-2010 07:08:45.257 WARN DateParserVerbose - Failed to parse timestamp for event. Context="source::WinEventLog:Application|host::xxxxxx|WinEventLog:Application|remoteport::33982" Text="quiresLogon/ 10-01-2010 07:08:45.257 WARN DateParserVerbose - Failed to parse timestamp for event. Context="source::WinEventLog:Application|host::xxx xxx|WinEventLog:Application|remoteport::33982" Text="com;blah.blah.com 10-01-2010 07:21:47.493 ERROR TcpInputProc - Error encountered for connection from host=xxx-xxx.com, ip=10.204.16.83. Timeout 10-01-2010 07:21:47.493 INFO TcpInputProc - Hostname=xxx-xxx.com closed connection 10-01-2010 08:01:40.402 INFO TcpInputProc - Connection in cooked mode from xxx-xxx.com 10-01-2010 08:01:40.413 INFO TcpInputProc - Connection accepted from xxx-xxx.com

Any idea why I get WMI and not *.log even though "splunk list monitor" shows I should?

Pstein

Re: Connection error from Windows Heavy Forwarder

axlbonn — Fri, 26 Nov 2010 15:51:48 GMT

check if you have windows app enable on your linux indexer first.

topic Connection error from Windows Heavy Forwarder in Getting Data In

Connection error from Windows Heavy Forwarder

Re: Connection error from Windows Heavy Forwarder