Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are logs not being forwarded after installing the universal forwarder on Linux machineRHEL?

blebit
Path Finder
‎11-10-2014 06:14 AM

hi all,

after installing splunk universal forwarder on linux machine RHEL i have this message after ./splunk list forward-server :
Active forwards:
None
Configured but inactive forwards:
x.x.x.x:9997
but i checked firewall and it is ok.

Connection to x.x.x.x 9997 port [tcp/palace-6] succeeded!
But logs are not going on splunk server
universalforwarder version: splunkforwarder-6.1.4-233537-linux-2.6-x86_64.rpm

what might be the problem?
thanks

0 Karma
Reply

grijhwani
Motivator
‎11-10-2014 07:12 AM

What version is your indexer/heavy forwarder doing the receiving?

0 Karma
Reply

blebit
Path Finder
‎11-10-2014 07:31 AM

splunk server: 6.1.2 on centOS

0 Karma
Reply

Raghav2384
Motivator
‎11-10-2014 06:42 AM

Did you enable Receiving on the Splunk Server, which is supposed to get the logs forwarded by UF?

Reply

blebit
Path Finder
‎11-10-2014 07:00 AM

yes, because i am receiving from other linux hosts

0 Karma
Reply

Raghav2384
Motivator
‎11-10-2014 07:21 AM

Interesting, Just did a UF install. Created some Monitor stanzas in inputs.conf and mentioned server in the outputs.conf. I see the server address after forwards: x.x.x.x. Is the splunkd running on the splunk server 🙂 (Please don't yell at me for asking this). Reason why i ask, i get forward : none after i intentionally stopped splunkd on Splunk server.

0 Karma
Reply

blebit
Path Finder
‎11-10-2014 07:30 AM

on client:

/opt/splunkforwarder/bin/splunk start
The splunk daemon (splunkd) is already running.

on server also is running, i have 230 hosts sending logs on splunk.
also in this case i am monitoring /var/log/
i think i followed all the instructions.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...