Solved: How to find if a server has a universal forwarder ...

rashid47010 · ‎06-14-2016

hi everyone,

I am new to Splunk.. one of the servers is not sending the logs. So how can I know that a Splunk Universal Forwarder is installed on that server..?

secondly... if a UF is installed, then how can we find out where it is sending the logs to?
If it is not sending logs at all, then how to identify and troubleshoot the problem?

Richfez · ‎06-14-2016

To find out if the Splunk Universal Forwarder (or indeed Splunk itself) is installed: For windows it's like any other program and will be listed as "Splunk" or "SplunkForwarder" in Add/Remove Programs. You can also find the folders in c:\Program Files. For *nix, usually Splunk of either variety is installed in /opt and you can confirm by perusing the output of "ps" or "top".

If there is no UF, there are still ways to get the logs into Splunk. In windows it's easy enough to "remotely collect" most logs via WMI and direct file access.

Troubleshooting a UF when it no longer is sending in logs usually isn't much more extreme than hopping onto the box in question and checking for errors in the Event Viewer or logs, perhaps restarting the service. You can check /opt/splunk/var/log/splunkforwarder/splunkd.log or c:\program files\splunkforwarder\var\log\splunk\splunkd.log for the last few pages of information to see if any ERRORs pop out. If the service is running and not showing errors, then it gets a bit more complex. Hopefully, the above will help you get it up and running.

View solution in original post

somesoni2 · ‎06-14-2016

Finding Splunk is installed OR not

Windows -
Go Run-> type services.msc and check splunk services are installed/available and are running

Linux
Run following command see if the splunk service is installed

service --status-all

OR use following check if SPlunk service is running

psef splunk | grep start

Find outputs.conf on the Forwarder find which Indexers/Intermediate Forwarder it's sending data to.

ddrillic · ‎06-14-2016

Which OS are you on?

rashid47010 · ‎06-20-2016

we have win2k8R2

Richfez · ‎06-14-2016

To find out if the Splunk Universal Forwarder (or indeed Splunk itself) is installed: For windows it's like any other program and will be listed as "Splunk" or "SplunkForwarder" in Add/Remove Programs. You can also find the folders in c:\Program Files. For *nix, usually Splunk of either variety is installed in /opt and you can confirm by perusing the output of "ps" or "top".

If there is no UF, there are still ways to get the logs into Splunk. In windows it's easy enough to "remotely collect" most logs via WMI and direct file access.

Troubleshooting a UF when it no longer is sending in logs usually isn't much more extreme than hopping onto the box in question and checking for errors in the Event Viewer or logs, perhaps restarting the service. You can check /opt/splunk/var/log/splunkforwarder/splunkd.log or c:\program files\splunkforwarder\var\log\splunk\splunkd.log for the last few pages of information to see if any ERRORs pop out. If the service is running and not showing errors, then it gets a bit more complex. Hopefully, the above will help you get it up and running.

rashid47010 · ‎06-20-2016

while Installing the connector I add the IPAddress:port for depoloyment server but forget the add the IPAddress:port for indexer. How can I rerun the setup or what should I do that I start receiving the logs

How to find if a server has a universal forwarder installed, where it is sending logs to, or troubleshoot why it is not sending any logs?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...