Splunk Dev

Forwarding the logs from UF to Splunk instance on different networks

raghu_vedic
Path Finder

I installed splunk in one server and also enabled the receiver please check related urls

url - http://:{private ip address}8000

reciever - http://:{private ip address}9997

I installed universal forwarder in other server (different network too) when I add forwarder server with hostname, it is not connecting because it is taking public IP address instead of private IP address. please let me know, how to solve the problem to forward the logs from UF to splunk instance on different networks.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Indexers receive EVERYTHING by default; there is no whitelisting. So if you have outputs.conf setup on your UF correctly (use IP Addresses), you should be good-to-go. If it doesn't work, check your standard network things (ACL, firewall, ports, SELinux, etc.).

View solution in original post

0 Karma

ephemeric
Contributor

Do not hardcode IP addresses in prod. In dev, sure, for testing. If you change your IPs once in prod it becomes unwieldy.

Use DNS. In your case: you haven't stated the hostname you're using so we assume it is colliding with the public DNS namespace.

Change your hostnames to a private namespace or if you must use FQDNs in the public namespace, put entries in `/etc/hosts`:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255	broadcasthost
::1             localhost
192.168.20.149  idx01.host.tld
192.168.20.148  idx02.host.tld
0 Karma

woodcock
Esteemed Legend

Indexers receive EVERYTHING by default; there is no whitelisting. So if you have outputs.conf setup on your UF correctly (use IP Addresses), you should be good-to-go. If it doesn't work, check your standard network things (ACL, firewall, ports, SELinux, etc.).

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi raghu_vedic,
a silly question: Why you don't use IP address instead hostname in your forwarder's outputs.conf? so you haven't any DNS problem.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...