I am setting up a test lab with Splunk. As I have a VPS (Virtual Private Server) for web hosting I thought it would be a good idea to have some data from a source external to my LAN.
I installed the Universal Forwarder on my VPS, when doing so and setting the Indexer it would not let me enter the correct username and password so I had to set admin:changeme. On my LAN port forwarding is configured and DUC client from NO-IP is installed on the Splunk box, but nothing is being indexed.
Running a netstat on my Splunk box can see active connections from VPS to the Splunk box on port 9997, which is correct as I configured on the forwarder.
The only thing that I can think of is that auth is failing? but how can I fix this if it won't let me set the correct credentials on the forwarder? it fails straight away and looks like it doesn't even query the remote indexer.
Would appreciate any help