Getting Data In

Why am I getting "Login failed" trying to add a Splunk universal forwarder?

Explorer

I am using Splunk Enterprise (Amazon Market Place AMI)
I have added Forwarding receiving port 9997
Installed universal forwarder and adding the forwarder to server failed: xx.xx.xxx.xx is my serverIP

PRODUCTION [root@jenkins bin]$ ./splunk add forward-server xx.xx.xxx.xx:9997 -auth admin:abcdef@123
Login failed

But using console xx.xx.xxx.xx:8000 with the same password and same username, I am able to login.

Please Help.

0 Karma

SplunkTrust
SplunkTrust

If you installed the forwarder fresh, without any custom method which sets the authentication, the default credential would be admin:changeme on the Universal forwarder. The above command is run on the universal forwarder and the credentials passed is for the Universal forwarder instance.

Try like this

./splunk add forward-server xx.xx.xxx.xx:9997 -auth admin:changeme

Or setup admin credentials on universal forwarder to use the same credentials (admin: PasswordFromIndexer) either using CLI OR using user-seed.conf
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/User-seedconf
http://docs.splunk.com/Documentation/Splunk/6.2.6/Security/ConfigureuserswiththeCLI