Background Information:
We are having trouble with the "Splunk Add-on for Unix and Linux" (https://splunkbase.splunk.com/app/833/ ), as we are unable to get log data from our Debian Hosts to the indexer without manually adding the log location from the "Add Data" Process. None of the predefined inputs work, and we are unable to index the "File and Directory Inputs" or the "Scripted Inputs" as listed in the "Splunk Add-on for Unix and Linux" Setup page. We have tried installing the forwarder on various hosts within the infrastructure, uninstalling the forwarders & reinstalling forwarders on the Debian hosts, uninstalling & reinstalling the "Splunk Add-on for Unix and Linux", & nothing we have attempted has fixed the problem we seem to have.
In contrast, the "Splunk Add-on for Microsoft Windows" works perfectly with the Windows 8.1 host, and we were able to get the log data indexed & is currently searchable. All of the predefined inputs work as advertised and we don't have any issues.
We are lost & looking for answers. Any help is appreciated, & I can provide more details if needed.
Thomas
Turns out this was a permission issue. When Splunk was initially installed on the Debian VM, the installation package created a user "506" that didn't have rights to perform the necessary actions to input data with the Add-on for Unix and Linux. Very Strange.
Anyway I had to reconfigure the whole installation by removing the Splunk VM, and stopping forwarders etc. and everything is working properly.
Thank you for the help!
Turns out this was a permission issue. When Splunk was initially installed on the Debian VM, the installation package created a user "506" that didn't have rights to perform the necessary actions to input data with the Add-on for Unix and Linux. Very Strange.
Anyway I had to reconfigure the whole installation by removing the Splunk VM, and stopping forwarders etc. and everything is working properly.
Thank you for the help!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		A couple of common problems on Debian:
  - the dash shell is not optimal: http://answers.splunk.com/answers/151457/why-am-i-getting-an-error-installing-splunk-add-on-for-unix...
  - make sure you've got sysstat: http://docs.splunk.com/Documentation/UnixAddOn/5.1.2/User/Platformandhardwarerequirements#What_other...
jcoates,
Thank you for the response.
I will check and make sure sysstat is installed on the hosts in the morning, and I will report back with the results.
We are not seeing any errors like in the link provided above.
Thomas
Update:
All of the Debian VMs had sysstat installed.
Any other ideas?
Bump. Anyone?
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Just to make sure...did you enable the data and scripted inputs (http://docs.splunk.com/Documentation/UnixAddOn/5.1.2/User/Enabledataandscriptedinputs)? I can't quite tell from the way you worded your question.
Chris,
Thank you for the response. Everything is enabled in the Setup page.

