Solved: Cannot see the Universal forwarder From Splunk Ent...

mmatin · ‎09-21-2024

Hi,

I have setup 2 VMs in Virtual box, installed the Splunk Enterprise in Windows server 2022, and installed the universal forwarder in windows 10 VM.

I have enabled listening port 9997 in Splunk Enterprise.

While installing UF, I have skipped the deployment server config (let it empty), and entered the IP of Windows server machine in the receiving indexer window.

Then I checked the connection from UF machine to Splunk enterprise by this PS command:

Test-NetConnection -Computername xxx.xxx.x.xxx -port 9997 (Successful)

and from Splunk to Universal forwarder

Test-NetConnection -Computername xxx.xxx.x.xxx (Successful)

So connection is up and running between the 2 devices.

But then in Splunk Enterprise, when I go to Settings > Forwarder Management, I cannot see the windows client.

Same issue in Settings > Add Data > Forward

"There are currently no forwarders configured as deployment clients to this instance"

=== > What am i doing wrong? Did i skip any configuration? Can someone help PLEASE?

mmatin · ‎09-21-2024

## Solution found:

- Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can see the device in Forwarder management. 🙂 🙂

View solution in original post

mmatin · ‎09-21-2024

## Solution found:

- Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can see the device in Forwarder management. 🙂 🙂

PickleRick · ‎09-21-2024

You skipped the DS configuration so your UF is _not_ managed by the DS.

You can still configure your UF manually and if you properly pointed it to the indexer, you should see the internal UF's logs in the _internal index but you can't manage the UF until you point it at DS

See https://docs.splunk.com/Documentation/Splunk/latest/Updating/Configuredeploymentclients

mmatin · ‎09-21-2024

So do I need another VM setup as the Deployment server? I saw 1 or 2 videos where they said since it's a simple lab setup and only one local forwarder, don't need deployment server config.

isoutamo · ‎09-28-2024

This is meaning that you don't need a separate DS server until you have something like 50 UF Deployment Clients.

Usually you should configure own app to manage that DS configuration to UFs. You could use same or separate app for outputs.conf too. If you set those on installation phase then it's hard to change those later as those are configured under ...\etc\system\local which you cannot manage by DS.

PickleRick · ‎09-21-2024

No. Your AIO (all-in-one) box which works as SH and indexer can also be a DS. (And it tries to be since you have the forwarder management section enabled in your gui).

mmatin · ‎09-21-2024

Tried fresh installation with config for DS as well, didnt work.

Cannot see the Universal forwarder From Splunk Enterprise

universal forwarder

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...