Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are logs not being forwarded after installing the universal forwarder on Linux machineRHEL?

blebit
Path Finder
‎11-10-2014 06:14 AM

hi all,

after installing splunk universal forwarder on linux machine RHEL i have this message after ./splunk list forward-server :
Active forwards:
None
Configured but inactive forwards:
x.x.x.x:9997
but i checked firewall and it is ok.

Connection to x.x.x.x 9997 port [tcp/palace-6] succeeded!
But logs are not going on splunk server
universalforwarder version: splunkforwarder-6.1.4-233537-linux-2.6-x86_64.rpm

what might be the problem?
thanks

0 Karma
Reply

grijhwani
Motivator
‎11-10-2014 07:12 AM

What version is your indexer/heavy forwarder doing the receiving?

0 Karma
Reply

blebit
Path Finder
‎11-10-2014 07:31 AM

splunk server: 6.1.2 on centOS

0 Karma
Reply

Raghav2384
Motivator
‎11-10-2014 06:42 AM

Did you enable Receiving on the Splunk Server, which is supposed to get the logs forwarded by UF?

Reply

blebit
Path Finder
‎11-10-2014 07:00 AM

yes, because i am receiving from other linux hosts

0 Karma
Reply

Raghav2384
Motivator
‎11-10-2014 07:21 AM

Interesting, Just did a UF install. Created some Monitor stanzas in inputs.conf and mentioned server in the outputs.conf. I see the server address after forwards: x.x.x.x. Is the splunkd running on the splunk server 🙂 (Please don't yell at me for asking this). Reason why i ask, i get forward : none after i intentionally stopped splunkd on Splunk server.

0 Karma
Reply

blebit
Path Finder
‎11-10-2014 07:30 AM

on client:

/opt/splunkforwarder/bin/splunk start
The splunk daemon (splunkd) is already running.

on server also is running, i have 230 hosts sending logs on splunk.
also in this case i am monitoring /var/log/
i think i followed all the instructions.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...