Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Configured but Inactive Forwards, inspite of resolving Firewall issue. Why?

smk54
New Member
‎05-25-2015 03:37 AM

Hello

I am trying to configure a forwarder between a Linux Machine and a Windows machine. My Splunk is installed on the windows and the forwarder on Linux. I need to establish a connection between both so as to monitor the syslogs.

I have followed all the steps mentioned in "http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html" to configure the forwarder. But when i try to list the forwards, it says
Configured but inactive forwards:
137.254.237.30:9997
(the ip of my windows machine:port)
By doing more research I came to know that this could a firewall issue. I restarted the Windows firewall and added this port as an Inbound Rule for Splunk. But still, the forwarder is inactive.

Please help me out on this.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

miteshvohra
Contributor
‎05-25-2015 04:12 AM

There is a high possibility that the data you wish to forward is already sent and there is no more new data to be sent.

Try generating some events or run this eventgen to produce random samples, and then check the status.

Regards, Mitesh.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

miteshvohra
Contributor
‎05-25-2015 04:12 AM

There is a high possibility that the data you wish to forward is already sent and there is no more new data to be sent.

Try generating some events or run this eventgen to produce random samples, and then check the status.

Regards, Mitesh.

0 Karma
Reply
Solved! Jump to solution

Herman
Explorer
‎03-24-2021 10:16 AM

But what about universal forwarder? Could you install eventgen add on for universal forwarder? I have tried but no luck.

 

Have looked through several posts and checked everything, still having the forwards inactive.

 

Any help appreciated

0 Karma
Reply
Solved! Jump to solution

smk54
New Member
‎05-25-2015 06:34 AM

Thanks a lot mitesh 🙂

I guess its a bug in version 5.0.4. The data had already been forwarded, however, the forward was still shown as inactive.

I would like to know one more thing. How can we remove the inactive forwards from that list in Linux? I deleted all the saved ones through the Splunk Web. But, the list is still appearing in Linux.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...