I have install splunk forwarder , but the splunk enterprise can't detect it.
Both machine on the same subnet. I use IP.
So that has at first nothing to do with "deploying" or "using a deployment-server", also no need to have a connection to port 8089 - for just sending/receiving data. You have to define your input on the machine executing the forwarder. Do you have an inputs.conf
in (e.g.) etc/system/local
and what is its content?
only 2 row
[default]
host = PC0368-W10
but i have followed the procedure to install the forwarder including input the deployment server and indexing server. Actually, I don't know what is an indexing sevrer
Then you have to define some input. See Getting data in and especially the chapter for Windows Event Logs.
And: the indexing server
is the heart of Splunk, that's where your data is going. Maybe you should start with the free Splunk training - Fundamentals 1 to get an idea what Splunk is all about.
You have to define the indexing server at the forwarder side but you don't have to define the deployment server. It makes things easier in environments with more then one server but it also makes things too complex if you're just at the beginning and only have one Splunk server and one Universal Forwarder installed on another server.
Also you have to enable "Receiving" on your indexing server (aka Indexer). It's under "Settings -> Forwarding and Recieving -> Configure Receiving". There you have to define port 9997 (that's the default value and you should start with it). Then restart Splunk.
i have clicked all the boxes when I do the installation.
could you teach me how to change it?
if the splunk server and the forwarder server are not in the same domain, is it fine?
If you "checked all the boxes" you really should have an inputs.conf
containing more than just the two lines - and it's way to much if you just want your Event Logs. Just do a search starting at Splunk's etc
directory. Then you should get it.
Regarding the domain: I have no idea. You should check if you can reach the indexer from the forwarder with some network tools, e.g. ping or telnet (to port 9997 as said above).
I'm not sure about the user and password. If I remember right these are credentials if you are using a proxy server.
Update: You seem to use a "Domain Account" for running the Splunk Universal Forwarder. That's what you probably clicked. Just use "Local System" and you are fine.
The inputs.conf
is under etc\apps\SplunkUniversalForwarder\local\inputs.conf
. So that should be fine also in your system. Please check if the file is there and if int contains (e.g.) [WinEventLog://Application]
- and the same for Security and System.
there is a user account and password input during the installation. May I know what information I have to input?
How are you realizing that "splunk enterprise can't detect it"? What are/were you looking for?
I want to get the log (windows event log) from splunk forwarder
HI,
I suppose you mean the forwarder is not phoning home and is not visible in your deployment server??
check your config on your forwarder, It should have a deploymentclient.conf looking like this
[deployment-client]
[target-broker:deploymentServer]
targetUri = deploymentserver.splunk.mycompany.com:8089
For more reference see https://docs.splunk.com/Documentation/Splunk/7.2.3/Updating/Configuredeploymentclients
Do you allready have enabled the deploymentserver as well?
how to enable deployment server?
On your deployment server, just create a app in $SPLUNK_HOME/splunk/etc/deployment-apps/
this app can be totaly empty, you just need the folder, just call it first_app,
Then restart your deplyomentserver and you will have under settings-> Forwarder Managment your UI for your deployment server.
Check out these docs for more knowlegde about deployment server
https://docs.splunk.com/Documentation/Splunk/7.2.3/Updating/Aboutdeploymentserver
could you give me more information?
I don't really know splunk.
deployment server equal splunk forwarder clientr?
how to create a app?just an empty file?
I am in windows. Please try to give me GUI guide lines
You should really check out the docs
About Deployment server:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Updating/Aboutdeploymentserver
How to set up forwarder to sent data to your indexer:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/forwardersdirecttopeers
If you want to have futher insight you really should think about getting started with splunk education https://www.splunk.com/en_us/training.html
The first one "Splunk Fuandamentals" is for free. The topic of deployment will be covered in a later course though.
My result is no client phone home.
Make sure that your forwarder got the deployment client config, like written earlier.
in $SPLUNK_HOME/splunkforwarder/etc/apps/
create new folder "deploymentclient_app", than create a local folder and then create a deploymentclient.conf
in local
Paste this into deploymentclient.conf
[deployment-client]
[target-broker:deploymentServer]
targetUri = deploymentserver.splunk.mycompany.com:8089
Exchange deploymentserver.splunk.mycompany.com with the ip or dns name of your deploymentserver.
Then restart the forwarder. Sometime it does take some time until the forwader will then appear in your forwarder management.
Hope that helps.
you mean make the deployment .conf in new folder "deploymentclient_app"?
still no client phone home
no.
Hope that makes it clearer.
Thank you. I do the same except the folder called splunkuniversal forwarder.
But it still doesn't work
did you restart the forwarder?
yes. I restart the splunkforwarder services