I have installed splunk UF V8.1.3 on Solaris sparc server V11.5.we are not getting any log from those servers apart from _internal logs.
we did below checks.
1.connection fine- telnet happening connected
2.splunkd log -connected to hf and refusing in few seconds.
3.directory path is fine in input.conf file.
4.nothing found in HF audit log.
5.checked firewall logs showing server rest and client reset.
6.debug log collected and share with support team no root cause found.
Can you please help on this?
What could be the issue? Is there any configuration need to modified?
you have to check the read permissions on the file to read for group and others, in this way you will know if the user you're using to run Splunk is enabled to read the files, if not, you have three ways:
Check from splunkd.log if there is something. Another easy way is just login to splunk user (what ever it is in your environment) and then try to look those file with tail -5 <file>. If you can see it's content then that user has access to this file.
if you're receiving Splunk internal logs, the connection is OK, so you have to debug the inputs.
At first check if the user that you're using to run Splunk (on Forwarder) has the grants to read the files to monitor.
Then you can see the splunkd logs on the forwarder at $SPLUNK_HOME/var/log/splunk/splunkd.log or on Splunk running a search on _internal to see what's the problem.
Usually the problem are the grants.
If you continue to have problems, you can open a Case to Splunk Support, because your platform is in the compatible list https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements (only for Universal Forwarders.