Getting Data In

Configured but Inactive Forwards, inspite of resolving Firewall issue. Why?

smk54
New Member

Hello

I am trying to configure a forwarder between a Linux Machine and a Windows machine. My Splunk is installed on the windows and the forwarder on Linux. I need to establish a connection between both so as to monitor the syslogs.

I have followed all the steps mentioned in "http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html" to configure the forwarder. But when i try to list the forwards, it says
Configured but inactive forwards:
137.254.237.30:9997
(the ip of my windows machine:port)
By doing more research I came to know that this could a firewall issue. I restarted the Windows firewall and added this port as an Inbound Rule for Splunk. But still, the forwarder is inactive.

Please help me out on this.

Tags (2)
0 Karma
1 Solution

miteshvohra
Contributor

There is a high possibility that the data you wish to forward is already sent and there is no more new data to be sent.

Try generating some events or run this eventgen to produce random samples, and then check the status.

Regards, Mitesh.

View solution in original post

0 Karma

miteshvohra
Contributor

There is a high possibility that the data you wish to forward is already sent and there is no more new data to be sent.

Try generating some events or run this eventgen to produce random samples, and then check the status.

Regards, Mitesh.

0 Karma

Herman
Explorer

But what about universal forwarder? Could you install eventgen add on for universal forwarder? I have tried but no luck.

 

Have looked through several posts and checked everything, still having the forwards inactive.

 

Any help appreciated

0 Karma

smk54
New Member

Thanks a lot mitesh 🙂

I guess its a bug in version 5.0.4. The data had already been forwarded, however, the forward was still shown as inactive.

I would like to know one more thing. How can we remove the inactive forwards from that list in Linux? I deleted all the saved ones through the Splunk Web. But, the list is still appearing in Linux.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...