I have a strange problem. When I install the universal forwarder on my log server and perform a netstat -l I do not see port 8000 in a listening state. I do see port 8089, but not 8000. I've tried removing and reinstalling to no avail. The strange thing is, if I install the full splunk version then port 8000 is opened fine for management. If I then uninstall splunk and reinstall the forwarder, I have the same issue again. How do I get the forwarder to open port 8000?
I am installing splunkforwarder-4.2.2-101277-linux-2.6-intel.deb on Ubuntu 8.04.4 LTS.
The UF doesn't occupy port 8000 -- that's the web port and there is no web component to the UF. It should use the management port, however, at 8089 by default.
Universal Forwarder only have management port on port 8089. Port 8000 on full Splunk is web gui port. UF doesn't have webgui.
If you want to change mngmt port 8089 to 8000 on UF do this with command
splunk set splunkd-port 8000
The UF doesn't occupy port 8000 -- that's the web port and there is no web component to the UF. It should use the management port, however, at 8089 by default.
It's ultimately the same code base, so there are some annoying items like that which may mislead you.
Thanks for the quick response, I guess I got confused by this install message:
Splunk has been installed in:
/opt/splunkforwarder
To start Splunk, run the command:
/opt/splunkforwarder/bin/splunk start
To use the Splunk Web interface, point your browser at:
http://loghost:8000