I installed a Splunk search head on my Windows machine. I installed a forwarder on a RHEL8 VM hosted by the same machine. The forwarder monitors /var and /etc. The systems can ping each other, and ports 9997 and 8089 are open. I have restarted Splunk on both systems. No errors occurred during installation or on any other operation, but no data appears on the search head.
Please help.
What about permissions?
may be user which is running splunk forwarder doesn’t have read access to those files under var.
with root on rhel:
setfacl -m u:splunkuser:r /var/log/secure
restart splunk you should see ssh logs from rhel8.