Deployment Architecture

Trying to Install Splunk Forwarder - Not showing Up in Splunk yet

heats
Explorer

I've been trying to install an older version of the Splunk Forward on a Server 2016 R2 box with no luck. I'm pretty sure I have what is needed in the inputs.conf, outputs.conf, the server.pem file, and the cacert.pem file. Is there anything else I could be missing? I even restarted the splunk service and it's still not popping up. Not familiar with reading the Splunkd logs to see what could have gone wrong.

0 Karma
1 Solution

gfreitas
Builder
0 Karma

gfreitas
Builder
0 Karma

heats
Explorer

It looks like I forgot the deploymentclient piece and a few other things as well. I have the box now showing in Splunk I'm just trying to ship logs to it now and that doesn't seem to be working now! Oh what a process! I'll open a new thread for that.

0 Karma

gfreitas
Builder

Do you see any success connection messages on splunkd.log on the forwarder?

0 Karma

heats
Explorer

I see this 04-20-2017 14:57:04.650 -0400 INFO DS_DC_Common - Deployment Server|Client initialized successfully.

0 Karma

heats
Explorer

To be honest this is my first time looking at a splunkd log - would it just be listed as success connection in there?

0 Karma

gfreitas
Builder

Try to look for

TcpOutputProc - Cooked connection to ip=x.x.x.x

0 Karma

heats
Explorer

I actually found some things on our main splunk server which is likely why this isn't working:

04-21-2017 10:42:23.281 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate expired'.
04-21-2017 10:42:23.281 -0400 ERROR TcpInputProc - Error encountered for connection from src=172.16.X.X:56238. error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

*I put the X.X in

Do you know which cert this is referring to?

0 Karma

gfreitas
Builder

It should be using the cert you specified on outputs.conf

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

2016 is still on R1, and is currently unsupported.

Also, what version are you trying to install?

0 Karma

heats
Explorer

Sorry I meant to say Windows Server 2016 Server Core - still unsupported? I think the install went through it's just that it's not popping up. I was doing this as a test. We will be upgrading our forwarders that are currently at 6.4.1 and I wanted to test Ansible plays. Do you suggest maybe I try spinning up another Windows Server that isn't 2016? Thanks!

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

My 6.5.2 install on my 2016 server with GUI works pretty well, but I'm only collecting basic Windows TA information at the moment.

6.5.4 will add support for 2016 server in late May.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!