I installed splunk in one server and also enabled the receiver please check related urls
url - http://:{private ip address}8000
reciever - http://:{private ip address}9997
I installed universal forwarder in other server (different network too) when I add forwarder server with hostname, it is not connecting because it is taking public IP address instead of private IP address. please let me know, how to solve the problem to forward the logs from UF to splunk instance on different networks.
Indexers receive EVERYTHING by default; there is no whitelisting. So if you have outputs.conf
setup on your UF correctly (use IP Addresses), you should be good-to-go. If it doesn't work, check your standard network things (ACL, firewall, ports, SELinux, etc.).
Do not hardcode IP addresses in prod. In dev, sure, for testing. If you change your IPs once in prod it becomes unwieldy.
Use DNS. In your case: you haven't stated the hostname you're using so we assume it is colliding with the public DNS namespace.
Change your hostnames to a private namespace or if you must use FQDNs in the public namespace, put entries in `/etc/hosts`:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
192.168.20.149 idx01.host.tld
192.168.20.148 idx02.host.tld
Indexers receive EVERYTHING by default; there is no whitelisting. So if you have outputs.conf
setup on your UF correctly (use IP Addresses), you should be good-to-go. If it doesn't work, check your standard network things (ACL, firewall, ports, SELinux, etc.).
hi raghu_vedic,
a silly question: Why you don't use IP address instead hostname in your forwarder's outputs.conf? so you haven't any DNS problem.
Bye.
Giuseppe