Ok, well, let's leave the REST api aside.

Have you looked at the splunkd.log file that is generated on the forwarder? It should be located in c:\program files\splunkuniversalforwarder\var\log\splunk.

Restart the forwarder and make note of the time. Look for any interesting errors after the restart, containing the filename you are looking for.

Also try to find the lines looking like:

TailingProcessor - Parsing configuration stanza:

OR

WatchedFile - Will begin reading at offset

/k

Also, I have installed multiple forwarders each on a different machine, but I cannot login to any of them.

After multiple unsuccessful attempts I get the following message on the brower:
"401 Unauthorized."

Is there any log file in the forwarder which I can look into for this?

Can there be a port other than 8089 in the link or this port is fixed ?

Ok - how does it not work? Do you get an error message of some sort? In that case - which?

/k

I havent changed the default password. I tried to reset the password by renaming the password file also.

I tried logging in with this link on the forwarder machine: https://127.0.0.1:8089/services/admin/inputstatus/TailingProcessor:FileStatus, didn't work either.

Can there be a port other than 8089 or this port is fixed ?

sorry, will use comments from now on.

please use the comments instead of posting new answers as well.

Then you either have changed the default password from changeme to something else. Ohh.. btw, you may not be able to do that remotely...come to think of it. If you go sit at the machine running the forwarder and do the same thing but use localhost as the ip (127.0.0.1) you should be able to do it.

yes tried that. not working.

admin/changeme

NOT

admin/changename

Yes, I edited the link first then I got a prompt "The server at /splunk requires a username and password." I tried logging in with admin/changename, but it failed.

Also, I am using 'SOURCE' not 'source' in my inputs.config.

Thanks,

1. Did you actually edit the link to use your IP-address, or just click the link?

2. It should be uppercase: 'SOURCE' not 'source'

This is the fromat of my inputs.conf:

[default]
host =

[monitor://]
whitelist=$
index=
crcSalt=
1). I checked there seems to be no issue with firewall. I unable to login to the forwarder with the URL you mentioned.

2). I am not sure what do you mean by ", not ."

3).The inputs.conf of the forwarder looks like:

[monitor://]
whitelist=$
index=
crcSalt=

[monitor://path3]
index=index3
crcSalt=

Ok,
1) login. Point your browser to the splunkd port on the forwarder (see URL above). You'll get a login dialog box. Type admin/changeme. Beware of any firewalls that might block your access.

2) crcSalt. I believe it should be , not .

3). Post your inputs.conf (from your forwarder). And perhaps some more info on the files your trying to monitor.

/k

The problem occurs when I change the log file path in the forwarder. If splunk is misinterpreting my timestamps than shouldn't no events be forwarded at all ?
Also, I am using crcSalt= in my inputs.conf.

I havent changed the password but I cannot login with the default one. I tried resetting the default admin password by following http://splunk-base.splunk.com/answers/834/how-could-i-reset-the-admin-password but I am still not able to login.
I am using the command '%SPLUNK_HOME%\bin\splunk login -auth admin:changeme' to login.