I am trying to get a Windows 2008 box hooked into Splunk cloud.
Specifically I want to forward logs from a custom log file to my Splunk Cloud 14 day trail account.
I have downloaded and installed the Universal forwarder from the generic download page (instructions stating I'd get a 'welcome email with custom download' appear to be incorrect).
I have installed the universal forwarder and configured its 'etc\system\local\outputs.conf' file like so:
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997 [tcpout-server://input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997]
Running 'splunk list monitor' shows I'm monitoring files:
c:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor Your session is invalid. Please login. Splunk username: admin Password: Monitored Directories: $SPLUNK_HOME\var\log\splunk\splunkd.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\audit.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\first_install.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_audit.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\mongod.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\scheduler.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\searchhistory.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd-utility.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_access.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_ui_access.log $SPLUNK_HOME\var\spool\splunk\...stash_new Monitored Files: $SPLUNK_HOME\etc\splunk.version C:\Program Files (x86)\mmc-distribution-mule-console-bundle-3.6.0\mule-enterprise-3.6.0\logs\mule_ee.log
and a tail of the splunkd.log shows this:
01-22-2015 14:35:09.789 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host. 01-22-2015 14:35:39.071 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host. 01-22-2015 14:36:09.077 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
And nothing is being logged to the Cloud.
How do I further debug this??
in particular this recent update :
You can now download an app which you can install into a universal forwarder from the sandbox instance itself. After logging into your instance, click on the "Universal Forwarder" app from the launcher page. From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.
That doesn't help. As I said, I've installed the universal forwarder and set it up. It's just not forwarding logs. the trial instructions are piecemeal and conflicting.
Evaluating the product shouldn't be this hard. That's some feedback for splunk product management.