Getting Data In

Universal Forwarder, Server Class.

test_qweqwe
Builder

I install UF on linux client.
Than I

./splunk set deploy-poll *.*.*.*:8089

Client did not appear in Forwarder Management in Clients.

What i miss?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
did you restarted Splunk?
did you checked if port 8089 is open (telnet xx.xx.xx.xx 8089)

Bye.
Giuseppe

View solution in original post

lycollicott
Motivator

Verify that it created $SPLUNK_HOME/etc/system/local/deploymentclient.conf and that it is correct.

0 Karma

test_qweqwe
Builder

deploymentclient.conf created and it's correct.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
did you restarted Splunk?
did you checked if port 8089 is open (telnet xx.xx.xx.xx 8089)

Bye.
Giuseppe

test_qweqwe
Builder

Yes, I restarted and port is open.

0 Karma

gcusello
SplunkTrust
SplunkTrust

check in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf if hostname is correct or is duplicated with another machine.
Bye.
Giuseppe

0 Karma

test_qweqwe
Builder

All is good.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Try to manually install an outputs.conf to send logs to indexers and see if forwarder sends logs.
Bye.
Giuseppe

0 Karma

test_qweqwe
Builder

The problem was in AWS Security policis which was block ports. Now my client is in Forwarder Management.
But the problem is that I accidentally removed $SPLUNK_HOME/etc/system/local/outputs.conf

It's big problem or not?

0 Karma

ddrillic
Ultra Champion

Normally $SPLUNK_HOME/etc/system/local/outputs.conf is empty while $SPLUNK_HOME/etc/apps/<your deployment app>/local/outputs.conf has the output information.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
the best approach to outputs.conf is to create a Technical Add-On (TA) containing only outputs.conf to deploy using a Deployment server, so you can centrally manage your outputs.conf.

But if you have the described problem you can manually create your outputs.conf in two ways:

in both the cases restart Splunk.

Bye.
Giuseppe

0 Karma

test_qweqwe
Builder

In my UF I used this command: ./splunk add monitor /var/log
And it's created stanza [monitor///] in /opt/splunkforwarder/etc/apps/search/local/inputs.conf

How me easy create TA in my deployment server to send it to UF?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
It isn't so easy to describe in few words!
Follow the instructions on https://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver to understand how Deployment Server works and how to configure and use it.

Anyway, in your last comment you spoke about a different things, the command ./splunk add monitor /var/log is useful to add a monitor stanza to inputs.conf, instead I spoke about outputs.conf, that is the way to say to the forwarder which are the indexer to send data.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...