Getting Data In

Is the Splunk Trial license limited in collecting remote data?

jchr87
New Member

Hello,
i have installed the trial Splunk Enterprise in Linux.
I have installed also the Universal Forwarder in Windows 8.1 VM. I am trying to collect the logs but i cant.
with netstat i see that he connects but he doesn't send something.
Is the trial license limited for remote?

0 Karma

ddrillic
Ultra Champion

The following is a good place to start with - I can't find my data!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

There could be a lot of different reason as to why your not getting data in Splunk..

Did you configure the outputs.conf on your forwarder to point at the indexer?
Did you configure your inputs.conf?
Did you restart the forwarder service after making these changes?

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Getstartedwithgettingdatain

0 Karma

jchr87
New Member

Documentation/Splunk/6.5.0/Admin/Inputsconf ??

which of these should i edit.

now in input.conf in local direcotry is only the Splunk enteprise.There should i add the forwarders?an example how it would like?

Thanks!!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Under your SPLUNK_HOME/etc/system/local.. Post the contents of your inputs.conf and outputs.conf

I'll give an example when I get home

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You will need to modify the inputs.conf and outputs.conf on the remote host where the forwarder is installed under /opt/splunkforwarder/etc/system/local

The inputs.conf file will look like this

[default]
 host = YOUR_HOSTNAME

 [monitor:///var/log/nginx/access.log]
 disabled = false
 sourcetype = YOUR_SOURCETYPE
 index = YOUR_INDEX

You will need to include the path and filename you want to monitor

Your outputs.conf file will look like this

[tcpout]
 defaultGroup = xxx.xx.xx.xxx_9997

 [tcpout:xxx.xx.xx.xxx_9997]
 server = xxx.xx.xx.xxx:9997

 [tcpout-server://xxx.xx.xx.xxx:9997]

The xxx.xx.xx.xxx will be the indexer IP or VIP if in a clustered environment

Don't forget to restart the Splunk service on the forwarder after making these changes! Also make sure you created the index in Splunk which you defined in the inputs.conf

0 Karma

jchr87
New Member

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 9997 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 9997 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9997 -m state --state ESTABLISHED -j ACCEPT
COMMIT

thats what i have now!but still cant send data!

0 Karma

jchr87
New Member

in Linux what should i configure for Firewall because i am still not receiving data.
Now its on athe active list the Forwarder
8089 and 9997 should be opened in Forwarder in order to communicate withe indexer?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...