Getting Data In

After installing and configuring a universal forwarder on a remote Linux machine, why am I unable to login and connect to the remote instance?

dougcabell
Explorer

On the remote end I see this after installing/configuring Universal Forwarder:

./splunk list forward-server
Splunk username: admin
Password: 
Active forwards:
    10.40.10.69:9997
Configured but inactive forwards:
    None

If I run setup.sh on the Splunk Server I see an option 5 per below:

    Please choose from one of the following options:

1 - show *nix input status
2 - manage *nix inputs
3 - install/upgrade app
4 - change credentials
5 - connect to remote instance

0 - logout and exit program

I select option 5 and try http://nvp02:8089 and I try 10.30.11.25:8089 and neither will let me login
If I try https://nvp02:8089 and I try https://10.30.11.25:8089 I still cannot login
NO LOGINS WORK
If I run setup.sh on the remote server when it asks for the initial login before the menu, I can login with the default spunk uname/pwd
Yes, I can ssh and sftp from the server to the remote linux host.

Why does this not work for me?

Help please

Thank You

0 Karma
1 Solution

dougcabell
Explorer

My own answer, I fixed it
Needed to modify server.conf on the Universal forwarder to include
[general]
allowRemoteLogin =requireSetPassword
and need to change the password from the default
./splunk edit user admin -password "new admin password" -role admin -auth admin:change me

Definitely a documentation issue for sure. Lack thereof.

View solution in original post

dougcabell
Explorer

My own answer, I fixed it
Needed to modify server.conf on the Universal forwarder to include
[general]
allowRemoteLogin =requireSetPassword
and need to change the password from the default
./splunk edit user admin -password "new admin password" -role admin -auth admin:change me

Definitely a documentation issue for sure. Lack thereof.

ppablo
Retired
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...