Deployment Architecture

Data not forwarding to cluster/master

Communicator

The logging isn't making it to my cluster. I'm trying to capture port traffic in one of my UF (universal forwarders) and sending it to my cluster. I have a few [monitor:/xxxx] setup in the same inputs.conf and they are working. Is there something different I need to do to get this port data_input to work?

Port: 10674
Trafic is coming to my server: TCPdump -n tcp dst port 10674 (works)

I've configured my universal forwarder local/inputs.conf

[tcp://:10674]
_TCP_ROUTING = PST_01
#connection_host = none
index = Pacific_Coast_01
sourcetype = Pacific_Coast

I have indexDiscovery setup on my master.
Traffic isn't making into my peer cluster.

Any advice would be great. Thank You.

0 Karma
1 Solution

Legend

What is in outputs.conf on your forwarder? What is in splunkforwarder/var/log/splunkd.log that might be related to this problem? If your forwarder is successfully retrieving a list of servers from the cluster master, you should be able to see it there - or an error message if not.

How are your indexers configured to receive the input?

Another thing to check is that you have the right password for the cluster. Of course, you won't be able to see it, because it is encrypted. But if you aren't sure (or if the log indicates that the forwarder can't talk to the cluster master), then you might want to re-enter it into the pass4SymmKey in outputs.conf on the forwarder. Restart the forwarder to encrypt the password and make the forwarder try again to connect.

On your forwarder's inputs.conf, you have

connection_host = none

But then you didn't set

host=xyz

which you need to do if you aren't using the connection host. I suppose you can let it default to the forwarder's host name, but that doesn't seem to be where the data originated...

Hopefully, you have followed the directions for Use indexer discovery...

View solution in original post

0 Karma

Legend

What is in outputs.conf on your forwarder? What is in splunkforwarder/var/log/splunkd.log that might be related to this problem? If your forwarder is successfully retrieving a list of servers from the cluster master, you should be able to see it there - or an error message if not.

How are your indexers configured to receive the input?

Another thing to check is that you have the right password for the cluster. Of course, you won't be able to see it, because it is encrypted. But if you aren't sure (or if the log indicates that the forwarder can't talk to the cluster master), then you might want to re-enter it into the pass4SymmKey in outputs.conf on the forwarder. Restart the forwarder to encrypt the password and make the forwarder try again to connect.

On your forwarder's inputs.conf, you have

connection_host = none

But then you didn't set

host=xyz

which you need to do if you aren't using the connection host. I suppose you can let it default to the forwarder's host name, but that doesn't seem to be where the data originated...

Hopefully, you have followed the directions for Use indexer discovery...

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Can you post the outputs.conf as well?

0 Karma

Communicator

Outputs from my forwarder:

[indexer_discovery:master1]
pass4SymmKey = <xxxxx>
master_uri = https://<IP>:8089

[tcpout:PST_01]
autoLBFrequency = 30
forceTimebasedAutoLB = true
indexerDiscovery = master1
useACK = true

[tcpout]
defaultGroup = PST_01

recap:
- My inputs.conf includes [monitor:/xxxx] entries which are working and populating my cluster.
- Pass4SymmKey is working.
- I am now trying to setup [TCP://xxx] entries. I have data being piped from an appliance to my forwarder over port 10674. I've tried [TCP://:10599] and currently trying [TCP://:10599] modifications within the inputs.conf

Thank You

0 Karma