Deployment Architecture

Lightweight Forwarder problem

nitinthakur
New Member

Hi

I have setup Indexer and trying to configure Lightweight forwarder. My input.conf on indexer looks like this: -

[default]
host = abc

[tcp://:9997]
connection_host = dns

[splunktcp://:9997]
enableS2SHeartbeat = true
s2sHeartbeatTimeout = 60

and output.conf on lighweight forwarder looks like this: -

[tcpout]
disabled = false
indexAndForward = 0
defaultGroup=my_indexers

[tcpout:my_indexers]
server=abc:9997

[tcpout-server://abc:9997]

When I run a wireshark I can see data packets going between the two hosts, but when I look into *NIX or search app, I do not see my lightweight forwader server in it. Any clue what I am missing.

Thanks

Tags (1)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Is your forwarder configured to read any data/inputs?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Well, you generally shouldn't modify items in default/* because they get overwritten on upgrade. You should instead override the setting in local/*. But the Unix app is disabled overall by default, so you would need to enable it by creating a local/app.conf with the "state = enabled" setting. (See default/app.conf)

0 Karma

nitinthakur
New Member

Okay then million dollar question, how do I enable *nix app. I set disabled = false for everything in /opt/splunk/etc/apps/unix/default/inputs.conf and restarted splud but to no avail....

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Sounds to me like the Unix inputs aren't enabled on the forwarder, so no data is being read or collected, so nothing will show up for that machine in the app?

0 Karma

nitinthakur
New Member

In search app i did index=_internal and the search result showed me the forwarded host there. So Forwarding is working. So your question makes sense am I monitoring anything? No, in that case. I am not interested in monitoring any files at this point. I want to see my host appear under *NIX application on the indexer. Is there any specific configuration needed to be done to achieve that?

0 Karma

nitinthakur
New Member

there is nothing in inputs.conf on forwarder. There is unix app installed on it. As per my understanding everything should be going from forwarder to os index on receiver. But for some reasons on indexer I do not see any mention of the forwarder server in any of the indexes.

0 Karma

Lowell
Super Champion

Start by removing your [tcp://:9997] stanza, you shouldn't have both a splunktcp and tcp listener on the same port like this.

0 Karma

nitinthakur
New Member

even after that it dosent work.any other clues? I can see in in logs
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.131 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.131 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx
02-07-2011 15:15:51.165 INFO TcpInputProc - Valid signature found
02-07-2011 15:15:51.165 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx

but i still dont see that host in UI.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...