Getting Data In

Cannot see the Universal forwarder From Splunk Enterprise

mmatin
Explorer

Hi,

I have setup 2 VMs in Virtual box, installed the Splunk Enterprise in Windows server 2022, and installed the universal forwarder in windows 10 VM.

I have enabled listening port 9997 in Splunk Enterprise.

While installing UF, I have skipped the deployment server config (let it empty), and entered the IP of Windows server machine in the receiving indexer window.

Then I checked the connection from UF machine to Splunk enterprise by this PS command:

Test-NetConnection -Computername xxx.xxx.x.xxx -port 9997     (Successful)

and from Splunk to Universal forwarder

Test-NetConnection -Computername xxx.xxx.x.xxx     (Successful)

So connection is up and running between the 2 devices.

But then in Splunk Enterprise, when I go to Settings > Forwarder Management, I cannot see the windows client.

Same issue in Settings > Add Data > Forward

"There are currently no forwarders configured as deployment clients to this instance"

=== > What am i doing wrong? Did i skip any configuration? Can someone help PLEASE?

Labels (1)
0 Karma
1 Solution

mmatin
Explorer

## Solution found:

- Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can see the device in Forwarder management. 🙂 🙂

View solution in original post

0 Karma

mmatin
Explorer

## Solution found:

- Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can see the device in Forwarder management. 🙂 🙂

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You skipped the DS configuration so your UF is _not_ managed by the DS.

You can still configure your UF manually and if you properly pointed it to the indexer, you should see the internal UF's logs in the _internal index but you can't manage the UF until you point it at DS

See https://docs.splunk.com/Documentation/Splunk/latest/Updating/Configuredeploymentclients

mmatin
Explorer

So do I need another VM setup as the Deployment server? I saw 1 or 2 videos where they said since it's a simple lab setup and only one local forwarder, don't need deployment server config.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
This is meaning that you don't need a separate DS server until you have something like 50 UF Deployment Clients.

Usually you should configure own app to manage that DS configuration to UFs. You could use same or separate app for outputs.conf too. If you set those on installation phase then it's hard to change those later as those are configured under ...\etc\system\local which you cannot manage by DS.

PickleRick
SplunkTrust
SplunkTrust

No. Your AIO (all-in-one) box which works as SH and indexer can also be a DS. (And it tries to be since you have the forwarder management section enabled in your gui).

0 Karma

mmatin
Explorer

Tried fresh installation with config for DS as well, didnt work.

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...