Getting Data In

How to troubleshoot configuration mismatch in inputs.conf and outputs.conf?

antifreke
Path Finder

Background, I am not an engineer and have little engineering experience. In setting up my instance, I have a question about the .Conf files.

Search Head - x.x.x.25
Syslog Server - x.x.x.24
Indexer 1- x.x.x.23

if I'm forwarding syslog data on udp 514, I have the following:

inputs.conf

[udp://514]
connection_host=dns
index=syslog
sourcetype=syslog

outputs.conf

[syslog:syslogGroup]
server = x.x.x.23:9997

[tcpout:indexer1]
server:x.x.x.23:9997

When I run list forward-server, I get the following:

Active forwards: none
configured but inactive: x.x.x.23:9997

Any ideas how I got this mismatch and what I need to do do make them active? I currently have no issues with networking, no firewalls, and can openly ping between devices. Thoughts?

0 Karma
1 Solution

lguinn2
Legend

Your outputs.conf is misconfigured. It should be

[tcpout:group1]
server=x.x.x.23:9997

The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."

The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.

For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log

View solution in original post

0 Karma

lguinn2
Legend

Your outputs.conf is misconfigured. It should be

[tcpout:group1]
server=x.x.x.23:9997

The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."

The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.

For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log

0 Karma

antifreke
Path Finder

Alright, I have that up.. but I think I figured out part of my problem in rsyslog.conf. Does the following look like I did this correctly?

if $fromhost-ip startswith 'x.x.x.23; then /var/log/rsyslog/devices.log
&~
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...