Getting Data In

After upgrade Splunk Universal Forwarder is not sending logs to Indexer tier

riqbal47010
Path Finder

After upgrading universal fowarder from 7.1.2 to 7.3.1, the universal forwardre stop sending logs to splunk.

0 Karma
1 Solution

riqbal47010
Path Finder

Hi
Although it was not the TLS issue. but a issue with windows TA.

Everything is connected and working fine. however problem identified and solved.
actually we have two TA's for same technology. for example, windows. one without inputs.conf and other with inputs.conf. Universal forwarded upgrade was successful. I also update the native windows TA with latest version. 6.0. and in my case it has inputs.conf as well with by default disabled everything. So I believe it was taking the precendance over the cutom windows TA( which ended as "_inputs". after deleting local/inputs.con. I start receiving the logs.

thanks woodcock for your kind reply.
Regards,

Rashid

View solution in original post

0 Karma

riqbal47010
Path Finder

Hi
Although it was not the TLS issue. but a issue with windows TA.

Everything is connected and working fine. however problem identified and solved.
actually we have two TA's for same technology. for example, windows. one without inputs.conf and other with inputs.conf. Universal forwarded upgrade was successful. I also update the native windows TA with latest version. 6.0. and in my case it has inputs.conf as well with by default disabled everything. So I believe it was taking the precendance over the cutom windows TA( which ended as "_inputs". after deleting local/inputs.con. I start receiving the logs.

thanks woodcock for your kind reply.
Regards,

Rashid

0 Karma

woodcock
Esteemed Legend

Check the error logs on the UF from UF CLI; the problem should be very clear. It might be the version of TLS.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi riqbal47010,
a stupid question: are you sure that it isn't changed anything else (ports, firewall routes, etc...)?
Check again the connection (telnet).

Ciao.
Giuseppe

0 Karma

riqbal47010
Path Finder

Hi Ciao,

Everything is connected and working fine. however problem identified and solved.
actually we have two TA's for same technology. for example, windows. one without inputs.conf and other with inputs.conf. Upgrade was successful. I also update the native windows TA with latest version. 6.0. and in my case it has inputs.conf as well with by default disabled everything. So I believe it was taking the precendance over the cutom windows TA( which ended as "_inputs". after deleting local/inputs.con. I start receiving the logs.

and thanks for replying a stupid question by .... person.. 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is the forwarder running?

---
If this reply helps you, Karma would be appreciated.
0 Karma

riqbal47010
Path Finder

Yes Forwarder is running. However problem get solved.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...