Solved: Troubleshooting Universal Forwarder on Linux

paul_hignutt · ‎10-31-2012

When I try to add my indexer to the configuration of my linux box where I have installed the universal forwarder, it errors on authentication.

This is on Splunk 5.0, and the Splunk server (indexer) is actually a VM on the linux box where I have installed the universal forwarder. I know that I have not entered the username and password incorrectly. I've tried splunk'ing for errors of failed logins within my deployment and come up with nothing.

I've done a tcpdump packet capture on the splunk server and I don't see any packets coming into the server. So I'm pretty sure my forwarder isn't working at all. I have verified connectivity and done a TCP PING to port 9997 and I DO see traffic get to the splunk server and back on that port.

This is what I get from the forwarder script:

# /opt/splunkforwarder/bin/splunk add forward-server 172.20.227.211:9997 -auth admin:password
Login failed
Login failed
Unauthorized

Ideas on where I can start looking? I use linux every day as a workstation, so I'm more than familiar although I wouldn't consider myself a *nix ninja. I've followed the directions here:
forwarder install instructions

Gilberto_Castil · ‎10-31-2012

You should use

admin:changeme

View solution in original post

Gilberto_Castil · ‎10-31-2012

You should use

admin:changeme

Troubleshooting Universal Forwarder on Linux

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?