topic Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration? in Getting Data In

Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

venanciop — Mon, 21 Sep 2015 20:10:32 GMT

inputs.conf

[default]
host = linux_fowarder_server

[monitor:///var/log/secure]
disabled = false

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = SPLUNKSERVERNAME:514

[tcpout-server://SPLUNKSERVERNAME:514]

deploymentclient.conf

[deployment-client]
clientName = LinuxForwarder
[target-broker:deploymentServer]
targetUri= SPLUNKSERVERNAME:8089

server.conf

[sslConfig]
sslKeysfilePassword = $1$INbYbpZpebsv

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free

[general]
pass4SymmKey = $1$d5qMMtMvMukv
serverName = _linux_fowarder_server_name

I've already enabled port 514 and 9997 in splunk server.

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

MuS — Mon, 21 Sep 2015 20:25:16 GMT

check if there is any firewall blocking or any possible network route failure.
Any reason why you send cooked data over to port 514 ?

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

venanciop — Mon, 21 Sep 2015 20:35:19 GMT

Its not blocked, telnet is working.

I added the linux to 514 because all windows fowarders are sending data to 9997.

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

MuS — Mon, 21 Sep 2015 20:46:13 GMT

Have you searched on all indexes over all time?
What does the index=_internal on the indexer report for the forwarder?

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

venanciop — Tue, 29 Sep 2020 07:21:11 GMT

9/21/15

4:39:57.000 PM

Sep 21 17:39:57 fowarderservername sshd[31627]: Accepted password for joao.admin from 192.168.168.168 port 2326 ssh2
host = fowarderservername index = main linecount = 1 source = /var/log/secure sourcetype = linux_secure splunk_server = RJMSRV067 splunk_server_group = dmc_group_deployment_server splunk_server_group = dmc_group_indexer

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

venanciop — Mon, 21 Sep 2015 20:59:18 GMT

Seems data data is being sent to the main index and not linux index that i have created

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

somesoni2 — Mon, 21 Sep 2015 21:06:39 GMT

You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

venanciop — Tue, 29 Sep 2020 07:21:13 GMT

Yes, I can see there, I've changed my inputs.conf in fowarder server to bellow and is working!

[default]
host = fowarder_server_name

[monitor:///var/log/secure]
disabled = false
index=linux

Thank you very much somesoni2

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

MuS — Mon, 21 Sep 2015 21:17:54 GMT

Hi venanciop,

like @somesoni2 said use an inputs.confthat specifies the index:

[monitor:///var/log/secure]
disabled = false
index = linux

and restart the forwarder. Any new added events will be in index=linux

cheers, MuS

Re: Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

venanciop — Tue, 22 Sep 2015 16:24:16 GMT

Yes, it worked!! Thank you very much!