After 2 days of reading numerous help docs and watching tutorial video's still not able to get Splunk Cloud monitoring a simple eventlog of my windows test-pc. Installing and de-installing the universal forwarder 10+ time I am now on the edge of walking away of this Splunk puzzle. Splunkuniversforwarding service is running, splunkd process running, what next to check...
input.conf:
[default]
host = Asus-AP
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
Server.conf
[general]
serverName = Asus-AP
pass4SymmKey = [redacted]
[sslConfig]
sslKeysfilePassword = [redacted]
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
deploymentcliet.conf:
[target-broker:deploymentServer]
targetUri = [redacted].cloud.splunk.com:8089
NO outputs.conf file (why? and where do I correct this?, addning it manually?)
I miss a complete step by step video or document to make a simple working setup for Splunk Cloud monitoring the eventlog of a windows pc system. When starting to read help document and clicking on the relevant part it open a new page...in no time I have at least 10 pages open and still no answer...
some help is appreciated.
Regards
A.Pietersen
After 14 days still no input. In the meantime installed a Splunk Enterprise instance and a universalforwarder instance, as a trial on a local network. Yes, I hear you thinking, see it was a firewall/security/network issue. No it is definitely not such an issue. I am also the network administrator so I opened all ports, created rules and acl's one can think of related to Splunk, disabled all firewall on related win-pc's, and could succesfull telnet to all ports that where configured on[ input- :xxxx] ) - still no meaningfull data coming in.
To conclude this topic, my tip is: As a newbie you better start with a local setup so you can learn faster and understand better the terminology and overall architecture of the Splunk platform. Besides: Splunk Cloud does not provide all the features and configs as the Splunk Enterprise does, which is logical but very confusing for a newbie. Thanks..
Hi
Ok ? Meaning..?, cause...? , what now? Where to look and to troubleshoot further...
https://answers.splunk.com/storage/temp/134181-blocked-1.png
regards
apietersen
That means you cant connect to the indexers on that port, at that address. So splunk disables the forwarding for 100s... then next try it will disable for 200s, 300s, 400s, and so on... It's basically trying to conserve your bandwidth since it cant reach it's destination.
Thanks for the responses.
I get some input but no eventlog data from my (single) local instance (as a universalforwarder) :
https://answers.splunk.com/storage/temp/134179-no-forwarder.png
https://answers.splunk.com/storage/temp/134180-no-permiss-1.png
Nb. no telnet response on my trail splunk Cloud (added firewall rule on my test pc, not yet on my securtity device of our network, but can not believe that that is needed also, traffic/session is initiated from uforwarder inside ???):
C:\WINDOWS\system32>telnet prd-p-7jmfcpd9xcqm.cloud.splunk.com 9997
Er wordt verbinding gemaakt met prd-p-7jmfcpd9xcqm.cloud.splunk.com...Kan geen verbinding met de host maken, op poort 9997: Het maken van de verbinding is mislukt
regards
apietersen
sorry: seems not to have enhough karmapoints (?) to send you more detailed screenshots/sinppets
Of course your network firewall / security device is blocking this port!!! What is so hard to believe?
Send your network security team a request to open bidirectional TCP 9997 from the forwarder(s) to prd-p-7jmfcpd9xcqm.cloud.splunk.com.
Hi jkat54
This kind of response I do not appreciate.
Besides I think you are wrong here and you are more or less proofing my point, for a newbee as I am, many point of possible failures. So, no need for exclamation marks here. Note: After adding several extra receiver lines with different port numbers including 9997 on "input-prd-p-7jmfcpd9xcqm.cloud.splunk.com" in the Splunk portal (or whatever they call it) I got a response from Splunk Cloud. My conclusion: no blocking of any firewall rule or security device here.
Regards
apietersen
It could be routes too and I don’t know what I was thinking saying “bidirectional”, 9997 should directional from your UF to the indexers.
Sounds like you’ve got it figured out. Cheers!!!
The cloud service should provide an app in the web gui to download the universal forwarder and a splunk app to download and install (instructions are provided) within your universal forwarders. In that app there should be a pre configured outputs.conf file which tells your uf where to send data.
If you have that app installed within your uf instance, you might also determine if a firewall is blocking outbound traffic on tcp 9997.
It is inputs.conf
, with an s
, not input.conf
.