Getting Data In
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

Hello, that looks like pretty normal startup stuff. I would look at near the end of the log for anything relating to the monitor you set up. It looks like your forwarding connection is okay based on the list forward-servers output.

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

okay, so it looks like your connection is up. Since you are setting host to ip-172-31-35-141 in your inputs you should be able to search for host=ip-172-31-35-141 ( i would use all-time for troubleshooting in this case, just in case there are timestamp discrepancies). You also need to make sure that the user the splunk forwarder is running as has read permissions on the logs you have added.

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

Also, based on the above config, you will need to have created a "test" index on your sandbox as well, and depending on user/role you may need to use index=test in your search. Also, did you create a catalina sourcetype on your sandbox instance? If your data is not one of the built in types, this should be done.

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

when i do this command, host="ip-172-31-35-141" source="/var/lib/tomcat7/logs/catalina.out", I get a bunch of logs, is this the results that I should be getting?

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

It sounds like your monitor input is getting indexed on your sandbox instance. Yay! You did it!

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

lol man that was an experience, but every time i do a query i get these flags:

Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log
The limit has been reached for log messages in info.csv. 1 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '(?i)source::....zip(.\d+)?'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'ActiveDirectory'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'BoxAppForSplunkcontroller-toosmall'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'Linux:SELinuxConfig'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'PerformanceMonitor'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'SplunkTAaws-RestEndpoints-account-list-too_small'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinNetMonMk'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinNetMonMk'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinPrintMon'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinRegistry'.

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinWinHostMon'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '_singleline'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '
json'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'accesscombined'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'access
combinedwcookie'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'access
common'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'aixsecure'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'anaconda'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'anaconda
syslog'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'apacheerror'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'asterisk
cdr'.

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

are these errors from my connection or sandbox settings?

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

This is something missing/misconfigured on your sandbox. Did you install any additional apps to your sandbox?

This sounds like a topic for a new question 😉

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

Yea, I installed sandbox for linux and unix but stopped with the process when I saw the (optional) on the step number from one of the forum questions you sent me, ill ask how to get rid of that, but thanks again for all your help!

0 Karma