Getting Data In

Configuration UF

bdegoy
New Member

Hello,

I want to monitor data from a remote linux server. The receiver is a Windows box at office with Splunk installed.
I have installed the universal forwarder on the server, configured firewalls, everything seems to work fine since the Deployment Monitor :

  • displays some trafic in Home >> Forwarder Connections;

  • displays an active Universal forwarder in Home >> All Forwarders.

But the Search App displays no source from this forwarder, only from my local box. In Hosts I see my local box, not the server.

I try to add data; I go to :
Manager » Add data » Any other type of data -> Data sources on machines your Splunk server can't access -> Use Splunk's universal forwarder to forward data from any machine to your Splunk server.

I see there : "Download the universal forwarder"
(instead of "Next" ???).

I have already gone trough this step, the Universal Forwarder is installed on the server and working fine. What should I do now?

Any help appreciated!

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Have you added any inputs on the UF? On the linux box add this into etc/system/local/inputs.conf:

[monitor://var/log]
disabled=false
sourcetype=syslog
host=myhost

You can find more at : http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf

View solution in original post

bdegoy
New Member

Many thanks for your help.
index=_internal source=forwarder gives : No matching events found.
You got me back on the track.

0 Karma

bmacias84
Champion

Ok, Have you configured your Splunk Indxer to recieve on port 9997 and your UF to forward to your indexer. Also have you configured your inputs.conf on your UF.

To list active and inactive forwards on UF use: splunk list forward-server

On search head perform the following to list forwarder events: index=_internal source=forwarder

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Have you added any inputs on the UF? On the linux box add this into etc/system/local/inputs.conf:

[monitor://var/log]
disabled=false
sourcetype=syslog
host=myhost

You can find more at : http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf

bdegoy
New Member

Hello bmacias84 and alacercogitatus,

Ok, that was the point, I was confused about which inputs.conf had to be completed : on the receiver side or the UF side? You got me right.

Now, on the UF side, my inputs.conf is :

[default]
host = xxx.ovh.net

[monitor://var/log]
disabled=false
sourcetype=syslog
host=xxx.ovh.net

On the server side, I restarted the UF : /opt/splunkforwarder/bin/splunk restart

I had to restart Splunk too.

And .. Splunk is indexing!

Many, many thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...