Deployment Architecture
Highlighted

Lightweight Forwarder problem

New Member

Hi

I have setup Indexer and trying to configure Lightweight forwarder. My input.conf on indexer looks like this: -

[default]
host = abc

[tcp://:9997]
connection_host = dns

[splunktcp://:9997]
enableS2SHeartbeat = true
s2sHeartbeatTimeout = 60

and output.conf on lighweight forwarder looks like this: -

[tcpout]
disabled = false
indexAndForward = 0
defaultGroup=my_indexers

[tcpout:my_indexers]
server=abc:9997

[tcpout-server://abc:9997]

When I run a wireshark I can see data packets going between the two hosts, but when I look into *NIX or search app, I do not see my lightweight forwader server in it. Any clue what I am missing.

Thanks

Tags (1)
0 Karma
Highlighted

Re: Lightweight Forwarder problem

Super Champion

Start by removing your [tcp://:9997] stanza, you shouldn't have both a splunktcp and tcp listener on the same port like this.

0 Karma
Highlighted

Re: Lightweight Forwarder problem

New Member

even after that it dosent work.any other clues? I can see in in logs
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.131 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.131 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.165 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.165 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx

but i still dont see that host in UI.

0 Karma
Highlighted

Re: Lightweight Forwarder problem

Splunk Employee
Splunk Employee

Is your forwarder configured to read any data/inputs?

0 Karma
Highlighted

Re: Lightweight Forwarder problem

New Member

there is nothing in inputs.conf on forwarder. There is unix app installed on it. As per my understanding everything should be going from forwarder to os index on receiver. But for some reasons on indexer I do not see any mention of the forwarder server in any of the indexes.

0 Karma
Highlighted

Re: Lightweight Forwarder problem

New Member

In search app i did index=_internal and the search result showed me the forwarded host there. So Forwarding is working. So your question makes sense am I monitoring anything? No, in that case. I am not interested in monitoring any files at this point. I want to see my host appear under *NIX application on the indexer. Is there any specific configuration needed to be done to achieve that?

0 Karma
Highlighted

Re: Lightweight Forwarder problem

Splunk Employee
Splunk Employee

Sounds to me like the Unix inputs aren't enabled on the forwarder, so no data is being read or collected, so nothing will show up for that machine in the app?

0 Karma
Highlighted

Re: Lightweight Forwarder problem

New Member

Okay then million dollar question, how do I enable *nix app. I set disabled = false for everything in /opt/splunk/etc/apps/unix/default/inputs.conf and restarted splud but to no avail....

0 Karma
Highlighted

Re: Lightweight Forwarder problem

Splunk Employee
Splunk Employee

Well, you generally shouldn't modify items in default/* because they get overwritten on upgrade. You should instead override the setting in local/*. But the Unix app is disabled overall by default, so you would need to enable it by creating a local/app.conf with the "state = enabled" setting. (See default/app.conf)

0 Karma