Deployment Architecture

Forwarding with linux host to splunk

Explorer

Hi all- I have a free splunk server setup which is gathering all my syslog data from switches, etc.

Im moving on to get our OS's to forward their log data to splunk. Everything I talked of here is on linux, intalled using the RPM.

I set up the splunk server to receive on port 9997.

After installing it, I followed the docs and ran the following on the remote host:

cd /opt/splunk/etc

mv splunk-forwarder.license splunk.license

cd /opt/splunk/bin

./splunk start

./splunk enable app SplunkLightForwarder

./splunk restart

./splunk add forward-server :9997

./splunk restart

However I dont have anything showing on the splunk server for that host. This is a server where lots gets dumped to /var/log/messages so there should be something showing in the splunk server for it. Im pretty green on splunk right now and am probably missing something easy but cant find it - Ive searched lots before posting. Id appreciate any help.

Thanks!

Tags (1)

Explorer

Hi ryamry

I am also stucked on the same situation as yours. Can you advise me on what you did?
I am not also seeing the host on the splunk server.

here is what my setup went:

1) install full splunk on server1. Installed *nix app and verified that it is collecting data.

2) install full splunk on server2. Installed *nix app and verified that it is collecting data.

3) configure receiving on splunk server1 to port 9997.

4) Enabled forwarding on server2.

**cd /opt/splunk/bin
./splunk start
./splunk enable app SplunkLightForwarder
./splunk restart
./splunk add forward-server :9997
./splunk restart**

5) Opened splunk server1 web but did not see server2.

Please advise, I appreciate your help thank you.

0 Karma

Splunk Employee
Splunk Employee

If those are all your steps, it doesn't look like you configured your forwarder to collect any data, so it may not have anything to forward. I recommend configuring your forwarder as a full Splunk, initially, until you can confirm that it is collecting data. Once the data is right, use Manager-->Forwarding/Receiving to configure forwarding. You can even convert to a Lightweight Forwarder (LWF) in the UI.

Here are some additional notes that you might find helpful, in terms of getting some valuable data from a Linux host and configuring forwarding: http://answers.splunk.com/questions/11579/splunk-for-nix/11581#11581

If you need to convert your LWF back into a full Splunk to get it configured, stop Splunk and restore your free demo license. You can use the following command to turn a LWF into a full Splunk:

splunk disable app SplunkLightForwarder

HTH
ron

Explorer

nevermind. I figured out how to do it with just syslog.

Enable this and adopt IP to send log messages to a log server.

destination logserver { udp("10.1.1.1" port(514)); };
log { source(src); destination(logserver); };

Thanks anyways.

0 Karma

Explorer

I dont want all the info that is taken with the *nix app. All I want to be forwarded is the log data. Is there a simple command I can run from the cli to do this?

0 Karma