Deployment Architecture

How to setup forwarder (light) in Linux?

mpandyaCS
New Member

I am trying to setup a forwarder on my server and its not working.
FYI - I have two servers:
1) Full splunk (trial version downloaded from splunk.com) installed.
2) only forwarder (also downloaded from splunk.com) installed.
I am following the below procedure to setup:
started ./splunk start on both the servers.
Logon web search using admin account and configured receiver (via manager option) with tcp port 8189
configured forwarder and specified the other server with port 8189(server 2) from where I need the data to be forwarded to this main splunk indexer (server A)

*Web login is using the server A (where main splunk instance is running).
With all this its not working. I have restarted the servers on both the instances after I configured receivers and forwarders.
Not sure of what is the actual procedure I should follow to make it working.

Please advise.
Thanks,
Mukesh.

Tags (2)
0 Karma

trodenbaugh
Explorer

You might look at the var/log/splunk/splunkd.log file on the forwarder. It will give you clues on connectivity to your Splunk index server as well as the folders that it is monitoring. You will see errors in this file if it cannot connect to the indexer. The metrics.log file will also tell you what files it is actually processing and sending to the indexer.

0 Karma

mpandyaCS
New Member

Based on my understanding, I expect to see some data on the indexer after I have configured receiver on main splunk installation server (using inputs.conf) and outputs.conf on the forwarder server (server B) where light forwarder is installed.
Any further advise would be helpful. Thanks in advance.

0 Karma

mpandyaCS
New Member

Thanks Chris, I am using light forwarder. FYI to all. I am a newbie to splunk and have been trying to setup an environment on our infrastructure. I did not find any documentation earlier about monitor. Anyway, I have installed the Deployment Monitor now and tyring to see if I can do any configuration on either machines directly or on web to make sure I see the data from both the servers.

0 Karma

Ayn
Legend

If you haven't added any monitors on the forwarder, what data were you really expecting to see after your initial setup? Forwarders by default do not monitor anything at all...

0 Karma

ChrisG
Splunk Employee
Splunk Employee

The Splunk Deployment Monitor is a separate app, see the documentation at http://docs.splunk.com/Documentation/DepMon/5.0.2/DeployDepMon/AboutSplunkDeploymentMonitorApp. Are you using the universal forwarder or the light forwarder (I know you said light but I'm double-checking)? Here is the information about searching for host information in index=_internal: http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Deployanixdfmanually#Troubleshoot_your_depl....

mpandyaCS
New Member

Thanks for your response:). I have not done the monitor setup on forwarder.. After looking at your response, I tried to do some setup but cant find any tips on setting up monitor.. Please advise if any documentation or tips...
Thanks,

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

have you tried sending data to the indexer by setting up a monitor on the forwarder?

Also, have you done a search for index=_internal and seen what results are returned for host? You should see the forwarder's host.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...