I am setting up a test lab with Splunk. As I have a VPS (Virtual Private Server) for web hosting I thought it would be a good idea to have some data from a source external to my LAN.
I installed the Universal Forwarder on my VPS, when doing so and setting the Indexer it would not let me enter the correct username and password so I had to set admin:changeme. On my LAN port forwarding is configured and DUC client from NO-IP is installed on the Splunk box, but nothing is being indexed.
Running a netstat on my Splunk box can see active connections from VPS to the Splunk box on port 9997, which is correct as I configured on the forwarder.
The only thing that I can think of is that auth is failing? but how can I fix this if it won't let me set the correct credentials on the forwarder? it fails straight away and looks like it doesn't even query the remote indexer.