topic Re: data input & forwarding on universal forwarders in Getting Data In

data input & forwarding on universal forwarders

remy06 — Wed, 07 Sep 2011 07:58:07 GMT

I've installed universal forwarder on linux system and have configured the forwarder to forward linux log to indexer ip 3.4.5.6:

inputs.conf

[monitor://path.../myfile]

host = 1.2.3.4

sourcetype = linux:log

output.conf

[tcpout]

server = 3.4.5.6

Still unable to receive any logs from the forwarder yet. Anything I've missed?

Re: data input & forwarding on universal forwarders

Drainy — Wed, 07 Sep 2011 11:18:10 GMT

you should define a port;
eg

[tcpoutip_port]
server = ip:port

and then ensure you have seutp your indexer to receive on the same port.
To then verify on the web gui that there is connectivity or to help troubleshoot then you could perform a search as an admin like;
index=_internal tcpin*

Re: data input & forwarding on universal forwarders

remy06 — Wed, 14 Sep 2011 03:03:48 GMT

I've re-checked the documentation and followed the syntax.

In inputs.conf

[monitor:///path.../myfile]

host = 1.2.3.4

sourcetype = linux:log

outputs.conf

[tcpout-server://3.4.5.6:3333]

compressed=false

Understood that outputs.conf is provided with universal forwarder in the search app.I can't find it, and if were to create it manually should it be placed at opt/splunk/etc/../search/default ?

Re: data input & forwarding on universal forwarders

remy06 — Mon, 19 Sep 2011 01:48:40 GMT

So...anyone knows where to locate outputs.conf that comes with universal forwarder...

Re: data input & forwarding on universal forwarders

kristian_kolb — Mon, 19 Sep 2011 14:55:34 GMT

Well, you may find several outputs.conf files on your system, popular paths include:

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local
/opt/splunkforwarder/etc/apps/search/local
/opt/splunkforwarder/etc/system/local

Don't mess with any of the ../default/outputs.conf files.

The problem may also lie elsewhere;

Compression must be enabled on both the forwarding and receiving end.
On the forwarder, try '/opt/splunkforwarder/bin/splunk btool outputs list' to see the current configuration for outputs.
Do you see any network traffic going out of your forwarder? Try 'netstat -an | grep 3333'. If you do not see that the connection is ESTABLISHED, you may have a firewall blocking the traffic.
Does your monitor stanza identify your source files/directory correctly? Try to see what the forwarder thinks by connecting to the REST api. This requires that you have changed the default password ('changeme') for the admin account on the forwarder. https://your-forwarder-ip-or-name:8089/services/admin/inputstatus/TailingProcessor:FileStatus
Always look through the splunkd.log for errors (in /opt/splunkforwarder/var/log/splunk/). Stop the forwarder. Make note of the time. Start the forwarder. Look through the splunkd.log from the time when you (re-)started.

Hope this helps,

Kristian

Re: data input & forwarding on universal forwarders

nrjsh1988 — Tue, 13 May 2014 07:50:15 GMT

You can find it here :-

/opt/splunk/etc/system/local/outputs.conf