Before I start this is a serious case of blind leading the blind.
Currently we have a VMware running Windows Server 2016 hosting Splunk Enterprise, to date we have managed to get the forwarder installed on Windows 7, Windows 2003, Windows 2008, Solaris and Mint Linux (Just for a laugh). Without much administration it all works well, but we come to RHEL 7, for some reason we can not get it work, everything appears to be okay. Installed the RPM forwarder, but nothing appears to be happening.
As this is a test system we have disabled both Server and Client firewalls, can ping the server in both directions - but we can't seem to get it to work. The only thing that we have managed to find using "google" is a potential issue with SELINUX so we have disabled that.
Any suggestions as this would save the sanity of the "intern"
I can't post the logs since they are on a standalone system, all we have on the universal forwarder inputs.conf is
host = localhost.localdomain
Any suggestions are welcome
Thank you for your answer.
All I have in the inputs.conf file is
host = localhost.localdomain.
I can't post the log file since the system is on a standalone machine.
Any suggestion is welcome
If you don't have anything else in your inputs.conf, you simply didn't setup any inputs. There is no data going to come because you didn't tell it what to collect. 😉
No, not by default. You need to configure your UF with the IP of the deployment server, they don't call home by default.
You could do this by doing
/opt/splunkforwarder/bin/splunk set deploy-poll YOURSERVER:8089 (and maybe restarting).
You could also create a seperate app (this is the clean way!) with a deploymentclient.conf like this:
YOURSERVER has to be replaced with the IP or DNS name of your Splunk instance.
Can you use tcpdump on the Splunk Enterprise instance to check if you get any communication from that instance to TCP port 9997?
Also, did you try to check for any logs with my tstats command posted in the other comment?
Once again, you need to see what the forwarder logs are saying to troubleshoot your issue.. You claimed to install the UF on a RHEL server, so you can either look on that RHEL server under the path I gave you above, or if you are forwarder your UF log files, you can look in Splunk. We are unable to help you until you look