Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is Splunk forwarder is not forwarding events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is Splunk forwarder is not forwarding events?
Hi,
We have installed Splunk to forward audit logs from LDAP to server02 and are not getting any events from the server. The logs are filtered and forwarded correctly to server01 just not to server02. Is this because server02 is not defined in the defaultgroup ?
Please advice.
Here are the configuration files.
Inputs.conf (Entry)
[monitor:///logsa/audit.log]
source = IT-LDAP-audit-ldapdb2
sourcetype = IT-LDAP-audit_entry
disabled = false
Outputs.conf
[tcpout]
defaultGroup = default-clone-group-server01_9997
disabled = false
isLoadBalanced = False
maxQueueSize = 1000
indexAndForward = false
[tcpout:server02_1536]
disabled = false
server = server02.com:1536
[props.conf]
[IT-LDAP-audit_entry]
TIME_PREFIX = ^AuditV3--
TIME_FORMAT = %Y-%m-%d-%H:%M:%S
TZ = US/Eastern
BREAK_ONLY_BEFORE = ^AuditV3--
TRANSFORMS-skip = knownldapaudit
TRANSFORMS-routing = arcsightldapnp
[transform.conf]
[arcsightldapnp]
REGEX = Invalid credentials
DEST_KEY = _TCP_ROUTING
FORMAT = arcsightldapnpreader
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you need to specify it in default group.
Splunk documentation says -- * Starting with 4.2, this attribute is no longer required. But somehow this doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Steve,
Sorry for the delayed response. It did not work. Here is the relevant info from props.conf, outputs.conf, & transforms.conf file.
props.conf entry
[IT-LDAP-audit_entry]
TIME_PREFIX = ^AuditV3--
TIME_FORMAT = %Y-%m-%d-%H:%M:%S
TZ = US/Eastern
BREAK_ONLY_BEFORE = ^AuditV3--
TRANSFORMS-routing = arcsightldapnp
Transforms.conf entry
[arcsightldapnp]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = arcsightldapnpreader
Outputs.conf
[tcpout:arcsightldapnpreader]
disabled = false
server = servername:1536
Thanks in advance for your help
Murali
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did it work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Strive,
Thank your for your quick response.
Murali
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
