Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up a heavy forwarder/deployment server on one server?

sbattista09
Contributor
‎01-28-2016 11:52 AM

After building a deployment and a heavy forwarder on one server we seem to be having issues when we point the universal forwarders to the heavy forwarder. We are new to Splunk 6.3.1 and are not sure if there have been any changes in how to do this?

Overview:
We spun up two new Splunk heavy forwarders for a new company and need both of them to forward logs to our indexers. One of the new heavy forwarders will also act as a deployment server. When setting them up, my stanza are as follows;

Deployment app in Splunk\etc\deployment-apps\App1\default (outputs.conf)-

[tcpout]
defaultGroup = lb_group
disabled = false
heartbeatFrequency = 300


[tcpout:lb_group]
server = HF1.com:9997, HF2.com:9997
autoLB = true
disabled = false

HF config: Splunk\etc\system\local (outputs.conf)

[syslog:my_syslog_group]
#FWD logs to an IDS
disabled = false
server = 10.10.10.10:514
type = udp
sendCookedData = false

[tcpout]
defaultGroup = lb_group
disabled = false

[tcpout:lb_group]
server = idx01.com:9997, idx02.com:9997, idx03.com:9997 
autoLB = true
disabled = false

Any input will help,
thank you in advance!

Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎01-28-2016 12:02 PM

This should work. Just note that the HF that runs as the DS cannot be a member of itself. So you will only be able to deploy the config to one of the HFs, not both.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-28-2016 12:08 PM

What problem do you see when your UF are pointing to HF?

0 Karma
Reply
Solved! Jump to solution

sbattista09
Contributor
‎01-28-2016 01:16 PM

I do not see any data coming into our indexers when this is set however, i do see the UF's getting the deployment app that points them to the HF's.

When i change the app to send to the indexers to bypass the HF's i see all the data. I don't understand if the HF needs any addition stanzas set to listen for these connections?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-28-2016 01:39 PM

Check if this is been set on HF

Set up receiving with the configuration file
You can enable receiving on your Splunk Enterprise instance by configuring inputs.conf in $SPLUNK_HOME/etc/system/local. To configure a universal forwarder as an intermediate forwarder (a forwarder that functions also as a receiver), use this method.

To enable receiving, add a [splunktcp] stanza that specifies the receiving port. In this example, the receiving port is 9997:

[splunktcp://9997]
disabled = 0
0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎01-28-2016 12:02 PM

This should work. Just note that the HF that runs as the DS cannot be a member of itself. So you will only be able to deploy the config to one of the HFs, not both.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...