- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
This is my first experience with Splunk as I am setting up a lab.
in VirtualBox I have:
VM1: Act as server: Ubuntu desktop 24.04 LTS - IP: 192.168.0.33 - Installed Splunk Enterprise - Added port 997 under configure receiving - Added Index, named it Sysmonlog.
VM2: Act as client: Windows 10 IP: 192.168.0.34 - Installed Sysmon - installed Splunk Forwarder - set the developer ip:192.168.0.34 port 8089 - set indexer 192.168.0.33 port 9997.
ping result is successful form both VMs
When I am about to add the forwarder in my indexer nothing shows up. how should I troubleshoot this to be able to add the forwarder?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0006d/0006db53e93e02f75a70b791d53de4db2c1334ef" alt="gcusello gcusello"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Hi @Dyrock ,
as you can see in https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html and read at https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Forwarddata and https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Forwarding/Aboutforwardingandreceivingdat...
You have to:
- configure the Indexer to receive logs from UFs (I suppose that 997 is a mistyping because the default port is 9997);
- configure the outputs.conf on your UF to send data to the indexers on the same port.
- configure the inputs on the UF.
At this point you will see your logs in the Indexer.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0006d/0006db53e93e02f75a70b791d53de4db2c1334ef" alt="gcusello gcusello"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Hi @Dyrock ,
as you can see in https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html and read at https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Forwarddata and https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Forwarding/Aboutforwardingandreceivingdat...
You have to:
- configure the Indexer to receive logs from UFs (I suppose that 997 is a mistyping because the default port is 9997);
- configure the outputs.conf on your UF to send data to the indexers on the same port.
- configure the inputs on the UF.
At this point you will see your logs in the Indexer.
Ciao.
Giuseppe
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""