Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to track successful inbound connections to a universal forwarder?

djconroy
Path Finder
‎11-04-2014 07:00 AM

I have a group of Universal forwarders deployed in our DMZ to relay logs from UF's in the field to our indexing cluster inside our network.

The splunkd.log from the DMZ servers shows errors on those inbound connections when they occur, but it does not appear to log successful inbound connections, which would be helpful in performance tracking and iplocation of clients.

It does seem to capture successful outbound connections to the indexers, so I would have to imaging this information is available.

Is there a logging level switch somewhere that would trap that information in the splunkd.log in the DMZ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

djconroy
Path Finder
‎11-06-2014 11:31 AM

So I figured this one out on my own... it appears you can glean that information from the metrics logs in /var/log/splunk. For whatever reason, those logs, although configured to be monitored in /etc/system/defaults/inputs.conf in the Universal Forwarders, were not being forwarded or indexed at the cluster level. I added the folder specifically to the local/inputs.conf, and added a dedicated index and input/output for those logs from the DMZ for easy searching of inbound statistics from our internet-based forwarders.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

djconroy
Path Finder
‎11-06-2014 11:31 AM

So I figured this one out on my own... it appears you can glean that information from the metrics logs in /var/log/splunk. For whatever reason, those logs, although configured to be monitored in /etc/system/defaults/inputs.conf in the Universal Forwarders, were not being forwarded or indexed at the cluster level. I added the folder specifically to the local/inputs.conf, and added a dedicated index and input/output for those logs from the DMZ for easy searching of inbound statistics from our internet-based forwarders.

0 Karma
Reply
Solved! Jump to solution

djconroy
Path Finder
‎01-08-2015 12:03 PM

I later learned that you can allow the default inputs.conf to pick them up those metrics if you add a the following to the tcpout stanza in outputs.conf:

[tcpout]
forwardedindex.filter.disable = true

This prevents you from having to index the metrics from the forwarders themselves against your license.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...