Deployment Architecture

Trying to Install Splunk Forwarder - Not showing Up in Splunk yet

Explorer

I've been trying to install an older version of the Splunk Forward on a Server 2016 R2 box with no luck. I'm pretty sure I have what is needed in the inputs.conf, outputs.conf, the server.pem file, and the cacert.pem file. Is there anything else I could be missing? I even restarted the splunk service and it's still not popping up. Not familiar with reading the Splunkd logs to see what could have gone wrong.

0 Karma
1 Solution

Builder
0 Karma

Builder
0 Karma

Explorer

It looks like I forgot the deploymentclient piece and a few other things as well. I have the box now showing in Splunk I'm just trying to ship logs to it now and that doesn't seem to be working now! Oh what a process! I'll open a new thread for that.

0 Karma

Builder

Do you see any success connection messages on splunkd.log on the forwarder?

0 Karma

Explorer

I see this 04-20-2017 14:57:04.650 -0400 INFO DS_DC_Common - Deployment Server|Client initialized successfully.

0 Karma

Explorer

To be honest this is my first time looking at a splunkd log - would it just be listed as success connection in there?

0 Karma

Builder

Try to look for

TcpOutputProc - Cooked connection to ip=x.x.x.x

0 Karma

Explorer

I actually found some things on our main splunk server which is likely why this isn't working:

04-21-2017 10:42:23.281 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate expired'.
04-21-2017 10:42:23.281 -0400 ERROR TcpInputProc - Error encountered for connection from src=172.16.X.X:56238. error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

*I put the X.X in

Do you know which cert this is referring to?

0 Karma

Builder

It should be using the cert you specified on outputs.conf

0 Karma

Splunk Employee
Splunk Employee

2016 is still on R1, and is currently unsupported.

Also, what version are you trying to install?

0 Karma

Explorer

Sorry I meant to say Windows Server 2016 Server Core - still unsupported? I think the install went through it's just that it's not popping up. I was doing this as a test. We will be upgrading our forwarders that are currently at 6.4.1 and I wanted to test Ansible plays. Do you suggest maybe I try spinning up another Windows Server that isn't 2016? Thanks!

0 Karma

Splunk Employee
Splunk Employee

My 6.5.2 install on my 2016 server with GUI works pretty well, but I'm only collecting basic Windows TA information at the moment.

6.5.4 will add support for 2016 server in late May.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!