Getting Data In

Universal Forwarder on Windows

pfabrizi
Path Finder

I am testing install of universal forwarder for windows. I am running 6.5.1 enterprise splunk but the universal forwarder I installed on windows is 6.6.2.

I get these errors:
is a compatibility issue?

8-21-2017 13:16:00.593 -0400 WARN TcpOutputFd - Connect to 10.83.180.135:9997 failed. A socket operation was attempted to an unreachable network.

8-21-2017 13:16:00.593 -0400 ERROR TcpOutputFd - Connection to host=10.83.180.135:9997 failed

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

It's not a compatibility issue, it's an issue with your forwarder connecting to your indexer. Did you enable receiving on the indexer? If not, go to Settings > Forwarding & Receiving > Enable Receiving and add port 9997 to listen

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

It's not a compatibility issue, it's an issue with your forwarder connecting to your indexer. Did you enable receiving on the indexer? If not, go to Settings > Forwarding & Receiving > Enable Receiving and add port 9997 to listen

0 Karma

pfabrizi
Path Finder

so I have it forwarding now, I was missing an inputs.conf configuration. It was out of box default, I guess.

what I do have a question is the folder structure.

My other Windows server has as custom configuration folder, that I think was pushed to it from the deployment server?

I am not really sure since we had a consultant set all this up and I haven't had any training to date.

0 Karma

tmarlette
Motivator

You will likely need some training my friend. I suggest the administration course. Check here:
https://www.splunk.com/view/SP-CAAAAH9?ac=News_Feb09_EDU

the only folders that override /$SPLUNK_HOME/etc/apps/ are
$SPLUNK_HOME/etc/system/

also, there should never be a reason to touch /etc/system/default. bad things can happen if you mess up there and there's no fall back. you changed the right one in /etc/system/local. Always make changes there.

if you have conflicting configurations, it's common that there's something in /etc/system/local.

folder priority is a pretty dense topic with splunk, and depends heavily on your architecture.

Also... if you manipulated your forwarder manually, you may want to check others for a deploymentclient.conf file somewhere either in /etc/system/apps/ OR in /etc/system/local.

If you're using a DS, there is a default configuration ANY windows forwarder will pull down as soon as it connects.

0 Karma

pfabrizi
Path Finder

I have other windows servers sending on 9997. I do have a question on which outputs.conf gets used.
I have 3 of them.

etc\apps\splunkuniversalforwarder\default
etc\system\default
etc\system\local - this is the one I changed.

where should it be?

Thanks!

0 Karma

tmarlette
Motivator

using a few assumptions, i'm going to guess that 10.83.180.135 is your indexer? (port 9997 is the default data port)

If that's the case, there's a connectivity issue between the two machines. Try telnet tests / ssh tests and resolve as a standard connectivity issue.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...