Lightweight Forwarder problem

nitinthakur · ‎02-07-2011

Hi

I have setup Indexer and trying to configure Lightweight forwarder. My input.conf on indexer looks like this: -

[default]
host = abc

[tcp://:9997]
connection_host = dns

[splunktcp://:9997]
enableS2SHeartbeat = true
s2sHeartbeatTimeout = 60

and output.conf on lighweight forwarder looks like this: -

[tcpout]
disabled = false
indexAndForward = 0
defaultGroup=my_indexers

[tcpout:my_indexers]
server=abc:9997

[tcpout-server://abc:9997]

When I run a wireshark I can see data packets going between the two hosts, but when I look into *NIX or search app, I do not see my lightweight forwader server in it. Any clue what I am missing.

Thanks

gkanapathy · ‎02-08-2011

Is your forwarder configured to read any data/inputs?

gkanapathy · ‎02-08-2011

Well, you generally shouldn't modify items in default/* because they get overwritten on upgrade. You should instead override the setting in local/*. But the Unix app is disabled overall by default, so you would need to enable it by creating a local/app.conf with the "state = enabled" setting. (See default/app.conf)

nitinthakur · ‎02-08-2011

Okay then million dollar question, how do I enable *nix app. I set disabled = false for everything in /opt/splunk/etc/apps/unix/default/inputs.conf and restarted splud but to no avail....

gkanapathy · ‎02-08-2011

Sounds to me like the Unix inputs aren't enabled on the forwarder, so no data is being read or collected, so nothing will show up for that machine in the app?

nitinthakur · ‎02-08-2011

In search app i did index=_internal and the search result showed me the forwarded host there. So Forwarding is working. So your question makes sense am I monitoring anything? No, in that case. I am not interested in monitoring any files at this point. I want to see my host appear under *NIX application on the indexer. Is there any specific configuration needed to be done to achieve that?

nitinthakur · ‎02-08-2011

there is nothing in inputs.conf on forwarder. There is unix app installed on it. As per my understanding everything should be going from forwarder to os index on receiver. But for some reasons on indexer I do not see any mention of the forwarder server in any of the indexes.

Lowell · ‎02-07-2011

Start by removing your [tcp://:9997] stanza, you shouldn't have both a splunktcp and tcp listener on the same port like this.

nitinthakur · ‎02-07-2011

even after that it dosent work.any other clues? I can see in in logs
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.131 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.131 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.165 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.165 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx

but i still dont see that host in UI.

Lightweight Forwarder problem

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation