Solved: Re: Azure VM - Won't report to Deployment server

spluzer · ‎05-04-2021

Hey Splunksters,

I have an Azure VM that I put a forwarder on that is supposed to reach out to my on-prem deployment server (which I have successfully done in my separate development environment).

(just a little backstory in case this helps anyone)
Originally it was installed using a script that pointed to the wrong Deployment server, so I uninstalled the forwarder - then reinstalled it pointing to the correct deployment server

I checked the deploymentclient.conf and it is pointed correctly - restarted the service etc etc. - But none of the deployment apps are showing up on the client - and the DS GUI does not show the the client server in forwarding management

Ran a test-netconnection from the Azuer machine to the DS using the DS management port - and got TCP success

However, when I run test connection on the DS back to the Azure machine it fails -- Which would lead me to believe there is a firewall or isn't set to bi-directional port etc etc etc.

HOWEVER, my DEV setup gives me the exact same test connection failure going FROM: the DS TO: the Azure client machine ----BUT IT STILL WORKS (data comes in, apps deploy , etc in DEV ) ---so I'm confused

That's why I feel like I am taking crazy pills. Considering doing a full reboot of the client machine, but that is not optimal at the moment.

Thanks!

spluzer · ‎11-03-2021

Update:

The outputs.conf on the azure client did not have the fqdn for the indexer and deployment server. We weren't including the fqdn in the outputs.conf the was being deployed, bc all of our hosts at the time were on-prem.

Obviously, Azure needed the full name like (splunkserver.somedomain:8089)

Instead of splunkserver:8089

View solution in original post

s2_splunk · ‎05-04-2021

The DS never reaches out to clients, connections are always initiated by the deployment client every phoneHomeInterval seconds. What hostname does the Azure VM present to the DS? Maybe it simply doesn't match any of your defined serverclass.conf entries?

You can try to set clientName in deploymentclient.conf to a static value that matches serverclass.conf rules to test this theory. Also, splunkd.log on the DC will provide clues; look for component=HttpPubSubConnection to see if the connection is successful.

HTH

spluzer · ‎05-07-2021

Thanks! I will check it out. I guess I'm still a little confused. In the past, after installing the forwarder, I could find the host in the forwarder management GUI- THEN I would set up a server class for that machine. I don't see the host showing up at all in forwarder management. However, I haven't had access to the machine yet, so I will check the logs you mentioned on the client side when I gain access...thanks again!

s2_splunk · ‎05-07-2021

Ah, yes. You are correct. It should show up as soon as it phones home, even without matching apps. Sorry I misunderstood your description.

So, likely there is some connectivity issue between the deployment client and the DS. Forwarder logs will have clues.

spluzer · ‎11-03-2021

Update:

The outputs.conf on the azure client did not have the fqdn for the indexer and deployment server. We weren't including the fqdn in the outputs.conf the was being deployed, bc all of our hosts at the time were on-prem.

Obviously, Azure needed the full name like (splunkserver.somedomain:8089)

Instead of splunkserver:8089

s2_splunk · ‎11-03-2021

Glad to hear you got it resolved. Sounds like this could qualify as a connectivity issue. 🙂

Azure VM - Won't report to Deployment server

universal forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life