Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

No internal logs received?

Alixfire
Loves-to-Learn
‎11-06-2022 12:10 PM

Hello,

 

Can anyone help me out with the problem of client connected to deployment server but unable to send logs of any kind. No internal logs and no monitored logs are being received at indexer even though phone home is happening and apps being deployed at the client.

 

Thank you.

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2022 05:18 PM

The indexer and the deployment server (DS) should be different instances so connectivity to one does not imply connectivity to the other.

Verify the DS is delivering the right outputs.conf file to the client.  If SSL is used, make sure that file contains the SSL password and the right certificates are also sent to the client. 

Verify firewalls allow connections from client to indexer. 

Check the splunkd.log file on the client for messages that might explain the cause of the problem.

Make sure the indexer has port 9997 (or your chosen port for receiving data) open.  See Settings->Forwarding and Receiving.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alixfire
Loves-to-Learn
‎11-08-2022 02:13 AM

Hello,

Thank you for the reply.

I tried the things you mentioned and telnet is also working fine for indexer and DS on the specified ports. Also appropriate permissions are on place for the splunk user on servers.  While all are working fine logs are not being forwarded. Any alternate things to look out for this issue. @richgalloway.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2022 05:30 AM

Did you read splunkd.log on the client?  If the client is unable to send data to the indexer then there should be a lot of messages in the log complaining about that.  That assumes the client has data to send, of course.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...