Splunk universal forwarder issues in windows

Sravane · ‎01-11-2021

Hi All - I have installed SPlunk master in Linux and universal forwarder in Windows box.

And Also opened all Ports .Currently when i do Telnet server ip 9997 ,it is showing timeout in windows box.

In Splunk logs found following warning.Cooked connectioned timeout and some certificate issues.

Can you please provide rootcause or solution for this issue.

gcusello · ‎01-11-2021

let me understand:

you have Splunk Enterprise on a Linux server (Indexer),
you have a Universal Forwarder on Linux,
you're testing connection betweem Forwarder and Indexer using Telnet from Forwarder to Indexer and you fail;

is it correct?

If this is your situation, you have to check the following items:

Check the above items and then try again with telnet.

Ciao.

Giuseppe

Sravane · ‎01-11-2021

Hi Ciao -Let explain question

And connection between Splunk enterprise and forwarder is failing. We enabled ports aswell

gcusello · ‎01-11-2021

are you saying that:

you enabled receiving on Indexer on 9997 port [Settings -- Forwarding and Receiving -- receiving];
you disabled local firewall on Indexer (iptables);
you're sure that there isn't any Firewall between Forwarder and Indexer;
both the servers are in the same network segments.

Can you confirm?

If telnet from Forwarder to Indexer fails, probably one of the previous checks is wrong.

Ciao.

Giuseppe

Sravane · ‎01-11-2021

Hi -Please let me know how to disable firewall?

ANy commands to run?

Moreover,i tried telnet ip 9997 in universal forwared server and i got following error

"Configured but inactive forwards"

Thanks,

Sravan

Thanks,

Sravan

gcusello · ‎01-11-2021

it depends on the Linux version you're using, you can search it in Google.

Ciao.

Giuseppe