Splunk Enterprise doesn't detect universal forwarder (linux)

dejanu — Thu, 14 Jan 2021 11:22:09 GMT

I have one machine with Splunk Enterprise and on another machines I've installed a universal forwarder. Even-though everything seems ok from the installation point of view, somehow Spunk Enterprise does not detect the forwarder:

- In the Splunk Web interface I've enabled receiving on port 9997 ( Splunk Web: Settings -> Forwarding and receiving )

- After installing the forwarder (linux) , I've started it from /bin :

./splunk start (accepted license)

./splunk add forward-server <splunk_web_server>:9997

# add a source

./splunk add monitor /var/log/auth.log -sourcetype linux_secure

./splunk restart

Am I missing something ? Thx

Re: Splunk Enterprise doesn't detect universal forwarder (linux)

scelikok — Thu, 14 Jan 2021 12:02:24 GMT

Hi @dejanu,

Possible options are;

1- On Splunk Enterprise machine, firewall may be blocking 9997 port access. Please check firewall.

2- Check internal logs for client host with;

index=_internal host=forwarder_hostname

3- If below steps are ok maybe there is permission problem. If you start UF on linux with splunk user, by default splunk user cannot read "/var/log/auth.log" file. You should give read permission to splunk user.

If this reply helps you an upvote is appreciated.

topic Splunk Enterprise doesn't detect universal forwarder (linux) in Getting Data In

Splunk Enterprise doesn't detect universal forwarder (linux)

Re: Splunk Enterprise doesn't detect universal forwarder (linux)