Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lightweight Forwarder problem

nitinthakur
New Member
‎02-07-2011 06:53 PM

Hi

I have setup Indexer and trying to configure Lightweight forwarder. My input.conf on indexer looks like this: -

[default]
host = abc

[tcp://:9997]
connection_host = dns

[splunktcp://:9997]
enableS2SHeartbeat = true
s2sHeartbeatTimeout = 60

and output.conf on lighweight forwarder looks like this: -

[tcpout]
disabled = false
indexAndForward = 0
defaultGroup=my_indexers

[tcpout:my_indexers]
server=abc:9997

[tcpout-server://abc:9997]

When I run a wireshark I can see data packets going between the two hosts, but when I look into *NIX or search app, I do not see my lightweight forwader server in it. Any clue what I am missing.

Thanks

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-08-2011 03:12 AM

Is your forwarder configured to read any data/inputs?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-08-2011 08:04 PM

Well, you generally shouldn't modify items in default/* because they get overwritten on upgrade. You should instead override the setting in local/*. But the Unix app is disabled overall by default, so you would need to enable it by creating a local/app.conf with the "state = enabled" setting. (See default/app.conf)

0 Karma
Reply

nitinthakur
New Member
‎02-08-2011 07:02 PM

Okay then million dollar question, how do I enable *nix app. I set disabled = false for everything in /opt/splunk/etc/apps/unix/default/inputs.conf and restarted splud but to no avail....

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-08-2011 06:58 PM

Sounds to me like the Unix inputs aren't enabled on the forwarder, so no data is being read or collected, so nothing will show up for that machine in the app?

0 Karma
Reply

nitinthakur
New Member
‎02-08-2011 06:13 PM

In search app i did index=_internal and the search result showed me the forwarded host there. So Forwarding is working. So your question makes sense am I monitoring anything? No, in that case. I am not interested in monitoring any files at this point. I want to see my host appear under *NIX application on the indexer. Is there any specific configuration needed to be done to achieve that?

0 Karma
Reply

nitinthakur
New Member
‎02-08-2011 05:26 PM

there is nothing in inputs.conf on forwarder. There is unix app installed on it. As per my understanding everything should be going from forwarder to os index on receiver. But for some reasons on indexer I do not see any mention of the forwarder server in any of the indexes.

0 Karma
Reply

Lowell
Super Champion
‎02-07-2011 07:37 PM

Start by removing your [tcp://:9997] stanza, you shouldn't have both a splunktcp and tcp listener on the same port like this.

0 Karma
Reply

nitinthakur
New Member
‎02-07-2011 10:58 PM

even after that it dosent work.any other clues? I can see in in logs
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.131 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.131 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.165 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.165 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx

but i still dont see that host in UI.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...