Getting Data In

Setting up Windows Splunk to accept universal forwarder data

vladimirc
Explorer

My setup is a single forwarder sending logs to a Splunk server. Both machines are running Windows 2008. After editing configuration files, I managed to get my forwarder's log to say:

11-21-2011 12:30:17.921 +0200 WARN  DeploymentClient - Unable to send handshake message to deployment server. Error status is: rejected

Obviously, in my "main" Splunk server, I only see one PC in sources. My question is, how do I setup my Splunk to accept and parse the logs sent by the universal forwarder? I have no problem using both a text editor to edit files manually or the web interface.

Thank you

Tags (3)
0 Karma
1 Solution

vladimirc
Explorer

Not entirely sure what the issue was, I suspect setting up the deployment server/client part was interfering with the rest of the settings. I have opted for a reinstall of the forwarder and now everything is working.

View solution in original post

0 Karma

vladimirc
Explorer

Not entirely sure what the issue was, I suspect setting up the deployment server/client part was interfering with the rest of the settings. I have opted for a reinstall of the forwarder and now everything is working.

0 Karma

vladimirc
Explorer

No, I didn't. I am just trying to forward logs from a machine (using Splunk forwarder) to the main installation (which also has the Splunk web searcher/etc). Am I looking at the wrong log? Or have I setup something wrong?

0 Karma

_d_
Splunk Employee
Splunk Employee

So, in principle there are at least two things that you need to do:

  1. Have your Splunk Server (this is your indexer) listen for incoming data. This generally means to enable receiving. Use Splunk's UI and go to Manager | Forwarding and receiving | Configure Receiving click on new and enter port 9997 (if not there already).

  2. Now you have to point your Universal Forwarder to this newly created port on the Splunk indexer. You can do that during the installation of Universal Forwardr (when it asks you for the address of an indexer) or you do it via outputs.conf. In C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf enter the following and restart:

[tcpout]
defaultGroup = my_indexer_group
[tcpout:my_indexer_group]
server = my_indexer_address:9997

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

vladimirc
Explorer

Hello and thank you for your reply. I have followed the steps and there still seems to be an issue:
INFO TcpOutputProc - Connected to idx=10.6.17.101:9997
WARN PubSubConnection - Cannot convert str: to a valid status, returning eRejected.
INFO TcpOutputProc - Connected to idx=10.6.17.101:9997
INFO TcpOutputProc - Connection to 10.6.17.101:9997 closed. Read error. An established connection was aborted by the software in your host machine.
Any clues on what could trigger these messages? Can I provide more information?

0 Karma

sdwilkerson
Contributor

Vladimirc, The "DeploymentServer" and "DeploymentClient" is used to control configurations on remote systems, but isn't the utility/conduit to how logs are sent. Did you intend to setup the DeploymentServer as well?

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...