Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- My Universal Splunk Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My Universal Splunk Forwarder
Hello Everyone, please for the past four weeks I have been struggling with ensuring that the Universal splunk Forwarder which I installed in my windows 10 virtual machine with sysmon to send logs to my Splunk Enterprise, which is also installed in my host machine (laptop) has been giving me various wrong output, despite the fact that I have configured both the input.conf and output.conf I have also made sure my windows 10 virtual machine can ping my splunk enterprise machine and I also used the command netstat anob find str9997 and it showed me listening I also ensure my firewall is not blocking any port I also enabled the default port 9997 receiving in my splunk enterprise despite all these it is still showing me Active forwards none Configured but inactive forwards 192.168.56.1.9997. I also want to ask a question because my windows 10 virtual machine is set to host only network could that be an obstruction and initially when I configured it, it was fine but now it is giving me such wrong response could it be the authentication. I also wanted to ask should I use the password of my splunk enterprise when I am asked for an authentication usernane and password in my splunk forwarder
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should I use my Splunk Enterprise password? No, you should not use your Splunk Enterprise password.
Also what's the wrong output/response you are mentioning here. Can you share the errors you are getting.
Try below and see how it goes,
Check the Forwarder's internal Logs and check for the errors.
telnet your splunk enterprise port 9997 from your vm
change your VM's network adapter to "Bridged" mode and test
Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Thomas, for your response However I have changed the network to bridged but its still giving me that same wrong response this is the response I get tcp_conn_open_afux ossocket_connect failed with winsock error #10061 ( it says it three times ) then it says Active forwards none, configured but inactive forwards 10.71.224.254:9997 I also attached the picture image of my vm for a clearer view in the first post.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like Connection refused from your destination(192.168.56.1). Can you confirm 9997 is listening on 192.168.56.1.
Also run a telnet to this and confirm the connection status.
Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
