https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181434#M36387 <P>Hi,</P> <P>We have installed Splunk to forward audit logs from LDAP to server02 and are not getting any events from the server. The logs are filtered and forwarded correctly to server01 just not to server02. Is this because server02 is not defined in the defaultgroup ? </P> <P>Please advice.</P> <P>Here are the configuration files.</P> <P>Inputs.conf (Entry)<BR /> [monitor:///logsa/audit.log]<BR /> source = IT-LDAP-audit-ldapdb2<BR /> sourcetype = IT-LDAP-audit_entry<BR /> disabled = false</P> <P>Outputs.conf<BR /> [tcpout]<BR /> defaultGroup = default-clone-group-server01_9997<BR /> disabled = false<BR /> isLoadBalanced = False<BR /> maxQueueSize = 1000<BR /> indexAndForward = false</P> <P>[tcpout:server02_1536]<BR /> disabled = false<BR /> server = server02.com:1536</P> <P>[props.conf]<BR /> [IT-LDAP-audit_entry]<BR /> TIME_PREFIX = ^AuditV3--<BR /> TIME_FORMAT = %Y-%m-%d-%H:%M:%S<BR /> TZ = US/Eastern<BR /> BREAK_ONLY_BEFORE = ^AuditV3--<BR /> TRANSFORMS-skip = knownldapaudit<BR /> TRANSFORMS-routing = arcsightldapnp</P> <P>[transform.conf]<BR /> [arcsightldapnp]<BR /> REGEX = Invalid credentials<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = arcsightldapnpreader</P> Mon, 28 Sep 2020 17:20:07 GMT kvmuralidhar 2020-09-28T17:20:07Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181434#M36387 <P>Hi,</P> <P>We have installed Splunk to forward audit logs from LDAP to server02 and are not getting any events from the server. The logs are filtered and forwarded correctly to server01 just not to server02. Is this because server02 is not defined in the defaultgroup ? </P> <P>Please advice.</P> <P>Here are the configuration files.</P> <P>Inputs.conf (Entry)<BR /> [monitor:///logsa/audit.log]<BR /> source = IT-LDAP-audit-ldapdb2<BR /> sourcetype = IT-LDAP-audit_entry<BR /> disabled = false</P> <P>Outputs.conf<BR /> [tcpout]<BR /> defaultGroup = default-clone-group-server01_9997<BR /> disabled = false<BR /> isLoadBalanced = False<BR /> maxQueueSize = 1000<BR /> indexAndForward = false</P> <P>[tcpout:server02_1536]<BR /> disabled = false<BR /> server = server02.com:1536</P> <P>[props.conf]<BR /> [IT-LDAP-audit_entry]<BR /> TIME_PREFIX = ^AuditV3--<BR /> TIME_FORMAT = %Y-%m-%d-%H:%M:%S<BR /> TZ = US/Eastern<BR /> BREAK_ONLY_BEFORE = ^AuditV3--<BR /> TRANSFORMS-skip = knownldapaudit<BR /> TRANSFORMS-routing = arcsightldapnp</P> <P>[transform.conf]<BR /> [arcsightldapnp]<BR /> REGEX = Invalid credentials<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = arcsightldapnpreader</P> Mon, 28 Sep 2020 17:20:07 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181434#M36387 kvmuralidhar 2020-09-28T17:20:07Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181435#M36388 <P>Yes you need to specify it in default group. </P> <P>Splunk documentation says -- * Starting with 4.2, this attribute is no longer required. But somehow this doesn't work. </P> Thu, 14 Aug 2014 11:21:12 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181435#M36388 strive 2014-08-14T11:21:12Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181436#M36389 <P>Hi Strive,</P> <P>Thank your for your quick response.</P> <P>Murali</P> Thu, 14 Aug 2014 11:32:21 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181436#M36389 kvmuralidhar 2014-08-14T11:32:21Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181437#M36390 <P>Did it work?</P> Thu, 14 Aug 2014 12:20:46 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181437#M36390 strive 2014-08-14T12:20:46Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181438#M36391 <P>Hi Steve,</P> <P>Sorry for the delayed response. It did not work. Here is the relevant info from props.conf, outputs.conf, &amp; transforms.conf file.</P> <P>props.conf entry<BR /> [IT-LDAP-audit_entry]<BR /> TIME_PREFIX = ^AuditV3--<BR /> TIME_FORMAT = %Y-%m-%d-%H:%M:%S<BR /> TZ = US/Eastern<BR /> BREAK_ONLY_BEFORE = ^AuditV3--<BR /> TRANSFORMS-routing = arcsightldapnp</P> <P>Transforms.conf entry<BR /> [arcsightldapnp]<BR /> REGEX = .<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = arcsightldapnpreader</P> <P>Outputs.conf</P> <P>[tcpout:arcsightldapnpreader]<BR /> disabled = false<BR /> server = servername:1536</P> <P>Thanks in advance for your help</P> <P>Murali</P> Mon, 28 Sep 2020 17:24:08 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-forwarder-is-not-forwarding-events/m-p/181438#M36391 kvmuralidhar 2020-09-28T17:24:08Z