Getting Data In

Universal Forwarder, Server Class.

test_qweqwe
Builder

I install UF on linux client.
Than I

./splunk set deploy-poll *.*.*.*:8089

Client did not appear in Forwarder Management in Clients.

What i miss?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
did you restarted Splunk?
did you checked if port 8089 is open (telnet xx.xx.xx.xx 8089)

Bye.
Giuseppe

View solution in original post

lycollicott
Motivator

Verify that it created $SPLUNK_HOME/etc/system/local/deploymentclient.conf and that it is correct.

0 Karma

test_qweqwe
Builder

deploymentclient.conf created and it's correct.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
did you restarted Splunk?
did you checked if port 8089 is open (telnet xx.xx.xx.xx 8089)

Bye.
Giuseppe

test_qweqwe
Builder

Yes, I restarted and port is open.

0 Karma

gcusello
SplunkTrust
SplunkTrust

check in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf if hostname is correct or is duplicated with another machine.
Bye.
Giuseppe

0 Karma

test_qweqwe
Builder

All is good.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Try to manually install an outputs.conf to send logs to indexers and see if forwarder sends logs.
Bye.
Giuseppe

0 Karma

test_qweqwe
Builder

The problem was in AWS Security policis which was block ports. Now my client is in Forwarder Management.
But the problem is that I accidentally removed $SPLUNK_HOME/etc/system/local/outputs.conf

It's big problem or not?

0 Karma

ddrillic
Ultra Champion

Normally $SPLUNK_HOME/etc/system/local/outputs.conf is empty while $SPLUNK_HOME/etc/apps/<your deployment app>/local/outputs.conf has the output information.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
the best approach to outputs.conf is to create a Technical Add-On (TA) containing only outputs.conf to deploy using a Deployment server, so you can centrally manage your outputs.conf.

But if you have the described problem you can manually create your outputs.conf in two ways:

in both the cases restart Splunk.

Bye.
Giuseppe

0 Karma

test_qweqwe
Builder

In my UF I used this command: ./splunk add monitor /var/log
And it's created stanza [monitor///] in /opt/splunkforwarder/etc/apps/search/local/inputs.conf

How me easy create TA in my deployment server to send it to UF?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
It isn't so easy to describe in few words!
Follow the instructions on https://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver to understand how Deployment Server works and how to configure and use it.

Anyway, in your last comment you spoke about a different things, the command ./splunk add monitor /var/log is useful to add a monitor stanza to inputs.conf, instead I spoke about outputs.conf, that is the way to say to the forwarder which are the indexer to send data.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...