Solved: I am not recieving the logs of my linux machine

anshuman19 · ‎01-10-2018

I want to receive the logs of Linux machine having UF installed in my windows machine which have splunk enterprise free with domain account I edited the inputs.conf and outputs.conf as follows
ip of my Linux is suppose 192.168.5.007
ip of windows with port no I want to recieve is suppose 192.168.2.047:9997

In inputs.conf of splunk forwarder
[monitor:///path.../myfile]
index=INDEX_NAME

host = 192.168.5.007

sourcetype = linux:log

outputs.conf

[tcpout-server://192.168.2.047:9997]

compressed=false

In inputs.conf of splunk enterprise in windows

[splunktcp://9997]
disabled = 0

can some help me that if I have done every thing fine or I have to change any thing?
I edited the inputs.conf and outputs.conf of system\local.

mayurr98 · ‎01-11-2018

hey @anshuman19
If you want to receive logs from linux machine then you must install universal forwarder on linux machine
As universal forwarder
1) tells the forwarder what data to send i.e. your_file
3) tells it where to send the data i.e. on windows machine

To get the data from from your linux machine

1)In inputs.conf of splunk forwarder i.e on linux machine /opt/etc/system/local/inputs.conf

monitor:///path.../myfile]
index =

host = 192.168.5.007
sourcetype = linux:log

2) For outputs.conf run below command on linux universal forwarder
./splunk add forward-server 192.168.2.047:9997
./splunk set deploy-poll 192.168.2.047:8089

3) On windows machine
Configure the receiving port on Indexer (inputs.conf for receiving data on port say 9997)
Read details at http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver
[splunktcp://9997]
disabled = 0

4) Restart universal forwarder on linux machine. go to /opt/splunkforwarder/bin and run
./splunk restart

5) search for your data on windows machine

This will work only if you have connectivity between windows(indexer) and linux(forwarder) machine with 9997 and 8089 ports

Let me know if this helps!

View solution in original post

gcusello · ‎01-11-2018

Hi nshuman19,
you can install Splunk Enterprise on a Windows server and monitor a Linux server, but Universal Forwarder must be installed on Linux server not on Windows server!
see http://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain for more information.

In few words:

install UF on Linux server,
configure outputs.conf on UF,
configure inputs.conf on UF,
enable receiving on Splunk Enterprise.

To configure inputs, the easiest way id to use Splunk_TA_Linux that you can find in apps.splunk.com.

Bye.
Giuseppe

anshuman19 · ‎01-11-2018

Thanks cusello

mayurr98 · ‎01-11-2018

hey @anshuman19
If you want to receive logs from linux machine then you must install universal forwarder on linux machine
As universal forwarder
1) tells the forwarder what data to send i.e. your_file
3) tells it where to send the data i.e. on windows machine

To get the data from from your linux machine

1)In inputs.conf of splunk forwarder i.e on linux machine /opt/etc/system/local/inputs.conf

monitor:///path.../myfile]
index =

host = 192.168.5.007
sourcetype = linux:log

2) For outputs.conf run below command on linux universal forwarder
./splunk add forward-server 192.168.2.047:9997
./splunk set deploy-poll 192.168.2.047:8089

3) On windows machine
Configure the receiving port on Indexer (inputs.conf for receiving data on port say 9997)
Read details at http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver
[splunktcp://9997]
disabled = 0

4) Restart universal forwarder on linux machine. go to /opt/splunkforwarder/bin and run
./splunk restart

5) search for your data on windows machine

This will work only if you have connectivity between windows(indexer) and linux(forwarder) machine with 9997 and 8089 ports

Let me know if this helps!

anshuman19 · ‎01-11-2018

Thanks mayurr98

its works but I shut down my both system and again started next morning its not receiving any thing from that Linux machine what to do now?

mayurr98 · ‎01-11-2018

have you enabled it as boot-start?
To enable automatic start on boot:

$SPLUNK_HOME/bin/splunk enable boot-start
do this on both the systems!

anshuman19 · ‎01-11-2018

I have done it in windows but in Linux it says that command not found

mayurr98 · ‎01-11-2018

hey on linux you have to go to /opt/splunkforwarder/bin and then run ./splunk enable boot-start
you can refer this link if you have any query
https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/ConfigureSplunktostartatboottime#Enable_boo...

anshuman19 · ‎01-11-2018

ohk done, now it will directly fetch the data or we have to restart the forwarder?

mayurr98 · ‎01-11-2018

yes it should..try and let me know !

anshuman19 · ‎01-15-2018

Thanks mayurr98 it's working!!

mayurr98 · ‎01-15-2018

Hey, I am glad my answer helped you! pls, upvote my answer/comments whichever helped you.

I am not recieving the logs of my linux machine

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?