topic Re: New Splunk Installation Not Recieving Logs in Installation

New Splunk Installation Not Recieving Logs

nmace — Tue, 03 Jan 2012 20:01:11 GMT

I've got a new install of Splunk that refuses to receive logs from any of Windows servers. I have the Splunk Universal Forwarder installed on the machine I want to gather logs from. I left the port setting on the default. However the only logs the Splunk server seems to be receiving is local log files. I'm not sure what the problem is, I didn't have this problem when I setup Splunk before previously. Maybe I'm overlooking something obvious? I'm using the current release of Splunk as well as the current release of the forwarder.

Re: New Splunk Installation Not Recieving Logs

Spelunke — Tue, 03 Jan 2012 20:05:38 GMT

Any firewall between forwarder and splunk server?

Re: New Splunk Installation Not Recieving Logs

nmace — Tue, 03 Jan 2012 20:07:13 GMT

Nope. No hardware firewall, no software firewall either.

Re: New Splunk Installation Not Recieving Logs

yannK — Mon, 28 Sep 2020 10:16:21 GMT

here are some steps :
- check $SPLUNK_HOME/var/log/splunk/splunkd.log on the forwarder to see if it complains about : network issue, or log collection.
- maybe the internal logs are forwarded but not the windows events (check index=_internal | stats count by host )
- is the indexer receiving data from other forwarders ?

Re: New Splunk Installation Not Recieving Logs

nmace — Wed, 04 Jan 2012 15:57:39 GMT

The log file reports:

No connection could be made because the target machine actively refused it.

That is looking on port 9997 (the default). When I try to add that port to Splunk's TCP data inputs, I get a "Parameter name: TCP port 9997 is not available". That port is not setup as a UDP port either.

This splunk host isn't recieving any data from any forwader.

Re: New Splunk Installation Not Recieving Logs

nmace — Wed, 04 Jan 2012 15:57:44 GMT

The log file reports:

No connection could be made because the target machine actively refused it.

This splunk host isn't recieving any data from any forwader.

Re: New Splunk Installation Not Recieving Logs

yannK — Wed, 04 Jan 2012 18:31:44 GMT

Use netstats to see which process is using your port 9997 TCP.

udp, tcp and splunktcp are different protocols, you want splunktcp.
To configure splunk to receive forwarded data, please go to
manager > forwarding & receiving > receiving > add the port 9997.
(and disable the inputs you may have created in inputs)

Re: New Splunk Installation Not Recieving Logs

nmace — Wed, 04 Jan 2012 20:24:30 GMT

That fixed it, thanks! Netstat revealed something else was using port 9997. Fixing that, then deleting my inputs and setting it up under "Recieving" fixed the problem. Thanks!