deploymentclient.conf created and it's correct.

Yes, I restarted and port is open.

check in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf if hostname is correct or is duplicated with another machine.
Bye.
Giuseppe

All is good.

Try to manually install an outputs.conf to send logs to indexers and see if forwarder sends logs.
Bye.
Giuseppe

The problem was in AWS Security policis which was block ports. Now my client is in Forwarder Management.
But the problem is that I accidentally removed $SPLUNK_HOME/etc/system/local/outputs.conf

It's big problem or not?

Normally $SPLUNK_HOME/etc/system/local/outputs.conf is empty while $SPLUNK_HOME/etc/apps/<your deployment app>/local/outputs.conf has the output information.

Hi test_qweqwe,
the best approach to outputs.conf is to create a Technical Add-On (TA) containing only outputs.conf to deploy using a Deployment server, so you can centrally manage your outputs.conf.

But if you have the described problem you can manually create your outputs.conf in two ways:

• copying from an example ( see https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Outputsconf )

• launching by CLI the following command

  ./splunk add forward-server :

in both the cases restart Splunk.

Bye.
Giuseppe

In my UF I used this command: ./splunk add monitor /var/log
And it's created stanza [monitor///] in /opt/splunkforwarder/etc/apps/search/local/inputs.conf

How me easy create TA in my deployment server to send it to UF?

Hi test_qweqwe,
It isn't so easy to describe in few words!
Follow the instructions on https://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver to understand how Deployment Server works and how to configure and use it.

Anyway, in your last comment you spoke about a different things, the command ./splunk add monitor /var/log is useful to add a monitor stanza to inputs.conf, instead I spoke about outputs.conf, that is the way to say to the forwarder which are the indexer to send data.

Bye.
Giuseppe