Re: Can't get Universal Forwarder to work.

sackerman · ‎11-12-2011

I have successfully installed the receiving server, setup the receiver, opened firewall ports. In setting up the forwarder after entering the server ip/username/password info it succeeded. I setup 1 line in the inputs.conf: [monitor:///var/log/httpd/error_log]
and have restarted splunk on the forwarder and restarted Apache on the forwarded to generate some error messages. I ran the 'list monitor' command on the forwarder and it showed that it was indeed monitoring '/var/log/httpd/error_log' (as well as the splunk logs). However there is nothing showing up on the receiver and there are new entries in the 'error_log' and I am not sure where to start looking.

sackerman · ‎11-12-2011

Found another entry in the forwarder splunkd.log:

11-12-2011 11:06:48.173 -0500 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...

After searching I only found references to solutions when your metrics.log has 'blocked=true' but have found no entries in either the forwarder and receiver metrics log.

sackerman · ‎11-12-2011

Okay, I think I may have found the problem
forwarder:metrics.log:

11-12-2011 11:46:57.189 -0500 INFO StatusMgr - destHost=173-160-51-65-colorado.hfc.comcastbusiness.net, destIp=173.160.51.65, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor

But I am not sure what the cause is. I have the source port opened up on the forwarder and the destination port opened up on the receiver. I have looked in the 'messages' log on the receiver and I don't see that the connection has been blocked. I am looking in the same log on the forwarder and don't see that the connection has been blocked. So what's next?

sackerman · ‎11-14-2011

*******/opt/splunkforwarder/bin/splunk list forward-server

Active forwards:
None
Configured but inactive forwards:
173.160.xx.xx:9997

*******inputs.conf
[default]
host = u15437226.onlinehome-server.com

[monitor:///var/log/httpd/error_log]
[monitor:///var/log/httpd/ssl_error_log]

*******outputs.conf
[tcpout]
defaultGroup = 173.160.xx.xx_9997
disabled = false

[tcpout:173.160.xx.xx_9997]
server = 173.160.xx.xx:9997

[tcpout-server://173.160.xx.xx:9997]

Not sure why it lists 'Configured but inactive forwards'?

mikelanghorst · ‎11-14-2011

It would be helpful to see your inputs.conf on the indexer and outputs.conf on the forwarder. You can obscure or modify any sensitive data.

What's the output of ./splunk list forward-server on the forwarder?

mikesaia · ‎11-12-2011

Check the /opt/splunk/var/log/splunk/splunkd and metrics.log on the forwarder and receiver. You should be able to get some good info from there as a starting point. On the receiver to view the log directory you can just run a search, index="_internal" to see the splunk log messages. But on the universal forwarder since there is no web interface you will have to manually view the log files. If you want to show some output from those logs that would help.

Can't get Universal Forwarder to work.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation