Solved: Troubleshooting Universal Forwarder on Linux

paul_hignutt · ‎10-31-2012

When I try to add my indexer to the configuration of my linux box where I have installed the universal forwarder, it errors on authentication.

This is on Splunk 5.0, and the Splunk server (indexer) is actually a VM on the linux box where I have installed the universal forwarder. I know that I have not entered the username and password incorrectly. I've tried splunk'ing for errors of failed logins within my deployment and come up with nothing.

I've done a tcpdump packet capture on the splunk server and I don't see any packets coming into the server. So I'm pretty sure my forwarder isn't working at all. I have verified connectivity and done a TCP PING to port 9997 and I DO see traffic get to the splunk server and back on that port.

This is what I get from the forwarder script:

# /opt/splunkforwarder/bin/splunk add forward-server 172.20.227.211:9997 -auth admin:password
Login failed
Login failed
Unauthorized

Ideas on where I can start looking? I use linux every day as a workstation, so I'm more than familiar although I wouldn't consider myself a *nix ninja. I've followed the directions here:
forwarder install instructions

Gilberto_Castil · ‎10-31-2012

You should use

admin:changeme

View solution in original post

Gilberto_Castil · ‎10-31-2012

You should use

admin:changeme

Troubleshooting Universal Forwarder on Linux

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation