Deployment Architecture
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Splunk forwarder loop
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk forwarder loop
dbond
New Member
05-10-2012
11:59 PM
Hi,
We have a couple of instances where the splunk forwarder gets into a loop due to firewall logging.
The Forwarder is installed on windows 2008 R2, its a domain controller, firewall activity is logged (to the security event log). When The Splunk forwarder sends data to the splunk server it gets logged in the event log, this then triggers another send by splunk, which then get logged and triggered etc. This doesnt always happen, it happens after a reboot, or just after some time, it can be fine.
Why is it doing this? How can it be stopped? I have to stop the forwarder and test after a while to see if it still does it. At the moment it has sent 13GB of logs to splunk, containing mostly logs of the splunk forwarder sending logs to splunk.
Is there a way to get the splunk forwarder to exclude the log for the splunk forwarder, or to only send the data from the logs every 10 seconds, instead of right now when ever a new entry appears? Or is there another solution?
Thank You
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drainy
Champion
05-11-2012
12:38 AM
Aha, I had the same issue. It is a log message to say that a connection has been established. I think I just needed to turn down the logging for those sorts of messages.
Anyway to filter them and never index them read here;
http://splunk-base.splunk.com/answers/24000/how-do-i-exclude-some-windows-events-from-being-indexed
It has a good example on how to filter by eventcode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drainy
Champion
05-11-2012
01:16 AM
Well this is true, but you can install a Splunk indexer on the remote machine and instead configure it as a forwarder, this was how things were done before the UF or where you have specific requirements (such as this), where the power of the Splunk indexer is required.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbond
New Member
05-11-2012
01:12 AM
Thanks for your reply. From my understanding, the props.conf and transfoms.conf are only parsed on splunk, the forwarder ingnores them.
This would need to be done on the forwarder as when this happens, thousands of entries a second are added, pushing the CPU usage of splunk forwarder to close to 100%, it appears that the splunk forwarder isnt keeping the connection to the splunk server open.
Get Updates on the Splunk Community!
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
Splunk Answers Content Calendar, June Edition II
Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
