https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381363#M68793 <P>Hi,</P> <P>I have one more problem, I am only able to see the logs from my folder on universal forwarder:</P> <P>C:\Program Files\SplunkUniversalForwarder\var\log\splunk</P> <P>Apart from it am not able to see any folder logs</P> <P>Can you please suggest something on this?</P> Wed, 20 Feb 2019 12:47:49 GMT partix2 2019-02-20T12:47:49Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381355#M68785 <P>Hi , i have created 2 instances of windows in AWS and using one of the instance using universal forwarder to forward the logs on another windows instance of splunk enterprise as my indexer. But the logs are not getting forwarded and i can see the service of forwarder running on my Universal forwarder instance.Also i have enabled the receiving port 9997 on my indexer. What can be probable reason for the same?</P> Wed, 13 Feb 2019 12:32:48 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381355#M68785 partix2 2019-02-13T12:32:48Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381356#M68786 <P>It could be a lot of reasons. Did you configure outputs.conf? Did you configure network setting? Are instances able to ping each other?</P> Wed, 13 Feb 2019 13:46:55 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381356#M68786 eduardKiyko 2019-02-13T13:46:55Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381357#M68787 <P>In reverse probable order:</P> <P>1.) Did you configure an AWS security group to allow your UF to send outbound traffic on port 9997<BR /> 2.) Did you configure an AWS security group to allow your Indexer to receive inbound traffic on 9997<BR /> 3.) Have you configured Windows Firewall to allow the same?<BR /> 4.) Did you configure the forwarder to forward events to the indexer on 9997? - Did you use the ui, or did you set an ouputs.conf config? - Can you post the config?<BR /> 5.) Does netstat show the UF trying to open port 9997 to send data on the UF?<BR /> 6.) Does netstat show the indexer listening on port 9997?</P> Wed, 13 Feb 2019 14:46:16 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381357#M68787 nickhills 2019-02-13T14:46:16Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381358#M68788 <P>Hi , my comments for your concerns are listed as below:<BR /> 1. Did you configure an AWS security group to allow your UF to send outbound traffic on port 9997 -- YES<BR /> 2. Did you configure an AWS security group to allow your Indexer to receive inbound traffic on 9997 -- YES<BR /> 3. Have you configured Windows Firewall to allow the same? -- YES<BR /> 4. Did you configure the forwarder to forward events to the indexer on 9997? – YES<BR /> 5. Did you use the ui, or did you set an ouputs.conf config? – I used UI to configure forwarding to the indexer.<BR /> 6. Can you post the config? – The outputs.conf from indexer instance in the folder “C:\Program Files\SplunkUniversalForwarder\etc\system\local” is as below:</P> <P>[tcpout]<BR /> defaultGroup = default-autolb-group<BR /> [tcpout:default-autolb-group]<BR /> server = 172.31.88.99:9997<BR /> [tcpout-server://172.31.88.99:9997]<BR /> 7. Does netstat show the UF trying to open port 9997 to send data on the UF?- Netstat does not give any hint of UF trying to open port 9997<BR /> 8. Does netstat show the indexer listening on port 9997? – Indexer is not listening on port 9997</P> <P>Can you please help me how to proceed with this issue ..</P> Thu, 14 Feb 2019 08:22:57 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381358#M68788 partix2 2019-02-14T08:22:57Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381359#M68789 <P>So 7 &amp; 8 appear to be the most concerning then.</P> <P>netstat -nab should show you the ports that splunk has opened. <BR /> On a UF, I would expect to see (unless you have disabled) it listening on 8089.<BR /> If it was trying to forward events to an indexer you should see the indexer IP and a listing for 9997</P> <P>On the indexer you would see it listening on 8000, 8089, and 9997 (among others) <BR /> If you still don't see any ports open, are you sure that the services are running properly?</P> Thu, 14 Feb 2019 14:26:58 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381359#M68789 nickhills 2019-02-14T14:26:58Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381360#M68790 <P>Hi , my comments are as below : </P> <P>On indexer , I can see the established connection between indexer and forwarder on port 9997.</P> <P>On forwarder I can see “TCP 172.31.37.196:49166 172.31.88.99:9997 FIN_WAIT_1” , its not showing as established or listening on port 9997, also logs are not forwarded to indexer. I also restarted the service on forwarder , but same result. What can be the probable reason for the same?<BR /> 172.31.37.196- forwarder IP<BR /> 172.31.88.99 - Indexer IP</P> Tue, 29 Sep 2020 23:14:44 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381360#M68790 partix2 2020-09-29T23:14:44Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381361#M68791 <P>Have you configured inputs.conf?</P> <P>Try searching for something like:<BR /> <CODE>index=_internal |stats count by host</CODE><BR /> If you see two hosts returned by that search, then Splunk is working properly but it sounds like you just need to configure the universal forwarder to collect the logs.</P> Fri, 15 Feb 2019 14:42:04 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381361#M68791 nickhills 2019-02-15T14:42:04Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381362#M68792 <P>Thanks for your valuable suggesstion<BR /> I tried searching with the command :<BR /> "index=_internal |stats count by host"</P> <P>This was successful as I was getting logs from that forwarder but when I am simply searching with only the hostname of the Forwarder it shows no results.</P> <P>May I know the reason for that?</P> Mon, 18 Feb 2019 12:41:30 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381362#M68792 partix2 2019-02-18T12:41:30Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381363#M68793 <P>Hi,</P> <P>I have one more problem, I am only able to see the logs from my folder on universal forwarder:</P> <P>C:\Program Files\SplunkUniversalForwarder\var\log\splunk</P> <P>Apart from it am not able to see any folder logs</P> <P>Can you please suggest something on this?</P> Wed, 20 Feb 2019 12:47:49 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-issue-in-AWS/m-p/381363#M68793 partix2 2019-02-20T12:47:49Z