Getting Data In

Not receiving data from some forwarders

Contributor

Newbie here with an issue.

Running Splunk 4.2.2 indexer on Linux and universal forwarders 4.2.2 on Windows 7 machines. I have 15 forwarders, but only receive data from the first 6 that were installed. I don't even see the forwarders listed under Hosts or the see their Source types on the summary screen. I see errors such as the following in the forwarder's splunkd.log

07-19-2011 15:25:05.121 -0400 INFO TcpOutputProc - Connected to idx=xx.xx.xxx.xxx:9997
07-19-2011 15:25:09.561 -0400 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" --driver-path "C:\Program Files\SplunkUniversalForwarder\bin"" splunk-regmon - No enabled entries were found in the conf files.

In the indexer's splunkd log I see messages such as:

Waiting for connection from src = aa.bb.ccc.dddd:portno to close before shutting down TCPInputProcessor.

So, it seems that the indexer knows of the forwarder's existance. Not sure what to look at next to try to resolve the issue.

Splunk Employee
Splunk Employee

Also check to make sure you have permissions to read the files you are monitoring.

0 Karma

Path Finder

If you run a "splunk list monitor -auth admin:changeme" command from the splunk\bin directory, does it list files that are being monitored to sent to the indexer?
If it lists nothing, you may have to modify your inputs.conf file to make sure you are monitoring the files that you hope to.

Communicator

Answered my own question... on a default install, can still use "admin" and "changeme"

0 Karma

Communicator

I'd like to run this command:
"splunk list monitor -auth admin:changeme"
on my windows universal forwarder. Since the service runs under the Local System acct, what credentails can\should I use in place of changeMe?

0 Karma

Contributor

It did turn out to be a permissions issue on the inputs.conf file on at least on one of the servers. Looking at the next server and still have the same problem. Not resolved yet.

0 Karma

Contributor

Running that command does indeed show that the two desired files are not being monitored. But, I can't find anything different between the inputs.conf file in the MSICreated directory on this forwarder and the forwarders where it is correctly working. I'm trying to find some kind of diff style utility to run against both directories.

Could permissions have anything to do with it?

0 Karma