https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294597#M55963 <P>hey @anshuman19<BR /> If you want to receive logs from <CODE>linux machine</CODE> then you must <CODE>install universal forwarder</CODE> on <CODE>linux machine</CODE><BR /> As universal forwarder <BR /> 1) tells the forwarder what data to send i.e. your_file<BR /> 3) tells it where to send the data i.e. on windows machine</P> <P>To get the data from from your linux machine</P> <P>1)In <CODE>inputs.conf</CODE> of splunk forwarder i.e on linux machine <CODE>/opt/etc/system/local/inputs.conf</CODE></P> <P>monitor:///path.../myfile] <BR /> index =<BR /><BR /> host = 192.168.5.007<BR /> sourcetype = linux:log</P> <P>2) For <CODE>outputs.conf</CODE> run below command on linux universal forwarder<BR /> ./splunk add forward-server 192.168.2.047:9997<BR /> ./splunk set deploy-poll 192.168.2.047:8089</P> <P>3) On windows machine<BR /> Configure the receiving port on Indexer (inputs.conf for receiving data on port say 9997)<BR /> Read details at <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver">http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver</A> <BR /> [splunktcp://9997]<BR /> disabled = 0</P> <P>4) Restart universal forwarder on linux machine. go to <CODE>/opt/splunkforwarder/bin</CODE> and run<BR /> <CODE>./splunk restart</CODE></P> <P>5) search for your data on windows machine</P> <P>This will work only if you have connectivity between windows(indexer) and linux(forwarder) machine with <CODE>9997</CODE> and <CODE>8089</CODE> ports</P> <P>Let me know if this helps!</P> Thu, 11 Jan 2018 11:49:57 GMT mayurr98 2018-01-11T11:49:57Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294596#M55962 <P>I want to receive the logs of Linux machine having UF installed in my windows machine which have splunk enterprise free with domain account I edited the inputs.conf and outputs.conf as follows<BR /> ip of my Linux is suppose 192.168.5.007<BR /> ip of windows with port no I want to recieve is suppose 192.168.2.047:9997</P> <P><STRONG>In inputs.conf of splunk forwarder</STRONG><BR /> [monitor:///path.../myfile] <BR /> index=INDEX_NAME</P> <P>host = 192.168.5.007</P> <P>sourcetype = linux:log</P> <P><STRONG>outputs.conf</STRONG> </P> <P>[tcpout-server://192.168.2.047:9997] </P> <P>compressed=false </P> <P><STRONG>In inputs.conf of splunk enterprise in windows</STRONG></P> <P>[splunktcp://9997]<BR /> disabled = 0</P> <P>can some help me that if I have done every thing fine or I have to change any thing?<BR /> I edited the inputs.conf and outputs.conf of system\local.</P> Thu, 11 Jan 2018 05:13:39 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294596#M55962 anshuman19 2018-01-11T05:13:39Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294597#M55963 <P>hey @anshuman19<BR /> If you want to receive logs from <CODE>linux machine</CODE> then you must <CODE>install universal forwarder</CODE> on <CODE>linux machine</CODE><BR /> As universal forwarder <BR /> 1) tells the forwarder what data to send i.e. your_file<BR /> 3) tells it where to send the data i.e. on windows machine</P> <P>To get the data from from your linux machine</P> <P>1)In <CODE>inputs.conf</CODE> of splunk forwarder i.e on linux machine <CODE>/opt/etc/system/local/inputs.conf</CODE></P> <P>monitor:///path.../myfile] <BR /> index =<BR /><BR /> host = 192.168.5.007<BR /> sourcetype = linux:log</P> <P>2) For <CODE>outputs.conf</CODE> run below command on linux universal forwarder<BR /> ./splunk add forward-server 192.168.2.047:9997<BR /> ./splunk set deploy-poll 192.168.2.047:8089</P> <P>3) On windows machine<BR /> Configure the receiving port on Indexer (inputs.conf for receiving data on port say 9997)<BR /> Read details at <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver">http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver</A> <BR /> [splunktcp://9997]<BR /> disabled = 0</P> <P>4) Restart universal forwarder on linux machine. go to <CODE>/opt/splunkforwarder/bin</CODE> and run<BR /> <CODE>./splunk restart</CODE></P> <P>5) search for your data on windows machine</P> <P>This will work only if you have connectivity between windows(indexer) and linux(forwarder) machine with <CODE>9997</CODE> and <CODE>8089</CODE> ports</P> <P>Let me know if this helps!</P> Thu, 11 Jan 2018 11:49:57 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294597#M55963 mayurr98 2018-01-11T11:49:57Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294598#M55964 <P>Hi nshuman19,<BR /> you can install Splunk Enterprise on a Windows server and monitor a Linux server, but Universal Forwarder must be installed on Linux server not on Windows server!<BR /> see <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain</A> for more information.</P> <P>In few words:</P> <UL> <LI>install UF on Linux server,</LI> <LI>configure outputs.conf on UF,</LI> <LI>configure inputs.conf on UF,</LI> <LI>enable receiving on Splunk Enterprise.</LI> </UL> <P>To configure inputs, the easiest way id to use Splunk_TA_Linux that you can find in apps.splunk.com.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 17:32:57 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294598#M55964 gcusello 2020-09-29T17:32:57Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294599#M55965 <P>Thanks mayurr98</P> <P>its works but I shut down my both system and again started next morning its not receiving any thing from that Linux machine what to do now? </P> Fri, 12 Jan 2018 05:57:34 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294599#M55965 anshuman19 2018-01-12T05:57:34Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294600#M55966 <P>Thanks cusello</P> Fri, 12 Jan 2018 05:58:28 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294600#M55966 anshuman19 2018-01-12T05:58:28Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294601#M55967 <P>have you enabled it as boot-start?<BR /> To enable automatic start on boot:</P> <P>$SPLUNK_HOME/bin/splunk enable boot-start<BR /> do this on both the systems!</P> Fri, 12 Jan 2018 06:10:53 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294601#M55967 mayurr98 2018-01-12T06:10:53Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294602#M55968 <P>I have done it in windows but in Linux it says that command not found</P> Fri, 12 Jan 2018 07:03:20 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294602#M55968 anshuman19 2018-01-12T07:03:20Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294603#M55969 <P>hey on linux you have to go to <CODE>/opt/splunkforwarder/bin</CODE> and then run <CODE>./splunk enable boot-start</CODE><BR /> you can refer this link if you have any query<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/ConfigureSplunktostartatboottime#Enable_boot-start_on_.2Anix_platforms">https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/ConfigureSplunktostartatboottime#Enable_boot-start_on_.2Anix_platforms</A></P> Fri, 12 Jan 2018 07:20:41 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294603#M55969 mayurr98 2018-01-12T07:20:41Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294604#M55970 <P>ohk done, now it will directly fetch the data or we have to restart the forwarder?</P> Fri, 12 Jan 2018 07:24:26 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294604#M55970 anshuman19 2018-01-12T07:24:26Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294605#M55971 <P>yes it should..try and let me know !</P> Fri, 12 Jan 2018 07:28:03 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294605#M55971 mayurr98 2018-01-12T07:28:03Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294606#M55972 <P>Thanks mayurr98 it's working!!</P> Mon, 15 Jan 2018 12:37:38 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294606#M55972 anshuman19 2018-01-15T12:37:38Z https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294607#M55973 <P>Hey, I am glad my answer helped you! pls, upvote my answer/comments whichever helped you.</P> Mon, 15 Jan 2018 12:40:08 GMT https://community.splunk.com/t5/Getting-Data-In/I-am-not-recieving-the-logs-of-my-linux-machine/m-p/294607#M55973 mayurr98 2018-01-15T12:40:08Z