Solved: Re: Why are my Windows system event logs not getti...

SridharS · ‎12-15-2015

Hi, I need to index some Windows system event logs of a remote server (using forwarder) into Splunk. My files are as below in the path $home/etc/apps/<myappname>/local on the forwarder

inputs.conf

[winEventLog://system]
disable = 0
whitelist = 41,104
index = wineventlog

outputs.conf

[tcpout]
default = primary_indexers
[tcpout:primary_indexers]
useACK=true
server = splunkservername:9997

I restarted the forwarder. My tcp port 9997 is open, but why are the logs not getting indexed in Splunk. The last log in the splunkd was:

12-15-2015 14:45:37.097 -0500 WARN  TcpOutputProc - Raw connection to ip=serverip:9997 timed out
12-15-2015 14:45:37.097 -0500 INFO  TcpOutputProc - Ping connection to idx=serverip:9997 timed out. continuing connections
12-15-2015 14:45:37.097 -0500 INFO  TcpOutputProc - Ping connection to idx=serverip:9997 timed out. continuing connections

hortonew · ‎12-15-2015

Has it ever been able to send logs to your indexers? If not, verify that your universal fowarder can:

telnet splunkservername 9997

If that is successful, rule out slow/problematic dns resolutions by configuring your hosts file to map that server name to its IP. Report back after ruling these out. If you try both of these and there are still issues, chances are the problem is on the indexer and not your client sending data. You can also try setting connection_host=false in your inputs.conf for the 9997 stanza, making sure the indexer isn't trying to resolve the name of the forwarder.

View solution in original post

hortonew · ‎12-15-2015

Has it ever been able to send logs to your indexers? If not, verify that your universal fowarder can:

telnet splunkservername 9997

If that is successful, rule out slow/problematic dns resolutions by configuring your hosts file to map that server name to its IP. Report back after ruling these out. If you try both of these and there are still issues, chances are the problem is on the indexer and not your client sending data. You can also try setting connection_host=false in your inputs.conf for the 9997 stanza, making sure the indexer isn't trying to resolve the name of the forwarder.

SridharS · ‎12-16-2015

it worked when i added connection_host=false to my inputs.conf

goelt2000 · ‎01-08-2016

hi,

Whats the difference between connection_host=false and connection_host=ip.

I am facing similar errors as mentioned on
https://answers.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer.htm...

Thanks

hortonew · ‎01-08-2016

From the docs:
connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk
system hostname.
* Defaults to "dns".

goelt2000 · ‎01-08-2016

none means it will leave it to be the receiver hostname?
What does connection_host=false, means?

Thanks much!

hortonew · ‎01-08-2016

None would be whatever is configured in the forwarder's inputs.conf. So if you have a universal forwarder sending data, whatever is in that universal forwarder's inputs.conf for hostname.

I'm 90% sure none and false do the same thing, but I couldn't find confirmation.

Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life