topic Re: getting errors from my splunk logs on monitor PC in Getting Data In

getting errors from my splunk logs on monitor PC

rsingh — Mon, 03 Oct 2016 20:07:17 GMT

Error 1 - ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.

Error 2 - ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::enumEvtLogChannels: Failed to enumerate event log channels: '(1722)'.

Error 3 - WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 400 seconds.

this is my input.conf

[default]
host = MYSERVER4

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[splunktcp://9996]
Connection_host = none

output.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = mysplunk.domain.com:9996

[tcpout-server://mysplunk.domain.com:9996]

please help. i can telnet into port 9996 and my splunk server = Forwarding and Receiving > Receiving on port 9996

Re: getting errors from my splunk logs on monitor PC

dperre_splunk — Mon, 03 Oct 2016 20:20:51 GMT

Are you running the Splunk service as a user or local system? When you disable the service and run the following command 'netstat -ano | findstr 9996' is there a record there?

Re: getting errors from my splunk logs on monitor PC

rsingh — Mon, 03 Oct 2016 20:23:50 GMT

Splunk service is running as a local user, i stoped the service and run 'netstat -ano | findstr 9996

where should i look for the record?

Re: getting errors from my splunk logs on monitor PC

dperre_splunk — Mon, 03 Oct 2016 20:25:18 GMT

Change the service to run as local system. Unless you are pulling logs remotely from that machine I don't see any need to run as a user account.

Re: getting errors from my splunk logs on monitor PC

rsingh — Mon, 03 Oct 2016 20:29:09 GMT

i do have a Red Hat splunk server

Re: getting errors from my splunk logs on monitor PC

dperre_splunk — Mon, 03 Oct 2016 20:34:06 GMT

Sorry, I was talking about the universal forwarder. Make the actions I mentioned above on the host that is running the universal forwarder should be a windows machine. So let me know what user is running the service and what the results of the netstat command are.

Also, Add disabled = 0 under splunktcp:9996 on your indexer.

Re: getting errors from my splunk logs on monitor PC

lguinn2 — Tue, 04 Oct 2016 02:36:18 GMT

This should NOT be part of the inputs.conf on your forwarder:

[splunktcp://9996]
Connection_host = none

The forwarder is blocking itself.

If I misunderstood and both of these files are on the indexer: then the indexer is forwarding to itself, and again, it will be blocking.

I see these types of messages often when I make similar typos...

Re: getting errors from my splunk logs on monitor PC

rsingh — Tue, 04 Oct 2016 12:56:09 GMT

ok so the universal forwarder is running as Local System, i ran a netstat command - where do i find the results? after i ran the command nothing happens

Re: getting errors from my splunk logs on monitor PC

rsingh — Tue, 04 Oct 2016 12:56:40 GMT

i removed the [splunktcp://9996] Connection_host = none but the errors are still occuring

Re: getting errors from my splunk logs on monitor PC

dperre_splunk — Tue, 04 Oct 2016 16:58:57 GMT

Hi rsingh,
Can you edit your original post and let us know where you got each config from please. Ie was inputs.conf from indexer or universal forwarder and the same for outputs.conf

Re: getting errors from my splunk logs on monitor PC

rsingh — Tue, 04 Oct 2016 17:01:27 GMT

do you mean the location of the input and output.conf? if so i edit them from here

C:\Program Files\SplunkUniversalForwarder\etc\system\local