Hello,
I want to monitor data from a remote linux server. The receiver is a Windows box at office with Splunk installed.
I have installed the universal forwarder on the server, configured firewalls, everything seems to work fine since the Deployment Monitor :
displays some trafic in Home >> Forwarder Connections;
displays an active Universal forwarder in Home >> All Forwarders.
But the Search App displays no source from this forwarder, only from my local box. In Hosts I see my local box, not the server.
I try to add data; I go to :
Manager » Add data » Any other type of data -> Data sources on machines your Splunk server can't access -> Use Splunk's universal forwarder to forward data from any machine to your Splunk server.
I see there : "Download the universal forwarder"
(instead of "Next" ???).
I have already gone trough this step, the Universal Forwarder is installed on the server and working fine. What should I do now?
Any help appreciated!
Have you added any inputs on the UF? On the linux box add this into etc/system/local/inputs.conf
:
[monitor://var/log]
disabled=false
sourcetype=syslog
host=myhost
You can find more at : http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf
Many thanks for your help.
index=_internal source=forwarder gives : No matching events found.
You got me back on the track.
Ok, Have you configured your Splunk Indxer to recieve on port 9997 and your UF to forward to your indexer. Also have you configured your inputs.conf on your UF.
To list active and inactive forwards on UF use: splunk list forward-server
On search head perform the following to list forwarder events: index=_internal source=forwarder
Have you added any inputs on the UF? On the linux box add this into etc/system/local/inputs.conf
:
[monitor://var/log]
disabled=false
sourcetype=syslog
host=myhost
You can find more at : http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf
Hello bmacias84 and alacercogitatus,
Ok, that was the point, I was confused about which inputs.conf had to be completed : on the receiver side or the UF side? You got me right.
Now, on the UF side, my inputs.conf is :
[default]
host = xxx.ovh.net
[monitor://var/log]
disabled=false
sourcetype=syslog
host=xxx.ovh.net
On the server side, I restarted the UF : /opt/splunkforwarder/bin/splunk restart
I had to restart Splunk too.
And .. Splunk is indexing!
Many, many thanks for your help.