inputs.conf
[default]
host = linux_fowarder_server
[monitor:///var/log/secure]
disabled = false
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = SPLUNKSERVERNAME:514
[tcpout-server://SPLUNKSERVERNAME:514]
deploymentclient.conf
[deployment-client]
clientName = LinuxForwarder
[target-broker:deploymentServer]
targetUri= SPLUNKSERVERNAME:8089
server.conf
[sslConfig]
sslKeysfilePassword = $1$INbYbpZpebsv
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[general]
pass4SymmKey = $1$d5qMMtMvMukv
serverName = _linux_fowarder_server_name
I've already enabled port 514 and 9997 in splunk server.
You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.
Hi venanciop,
like @somesoni2 said use an inputs.conf
that specifies the index
:
[monitor:///var/log/secure]
disabled = false
index = linux
and restart the forwarder. Any new added events will be in index=linux
cheers, MuS
Yes, it worked!! Thank you very much!
You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.
Yes, I can see there, I've changed my inputs.conf in fowarder server to bellow and is working!
[default]
host = fowarder_server_name
[monitor:///var/log/secure]
disabled = false
index=linux
Thank you very much somesoni2
check if there is any firewall blocking or any possible network route failure.
Any reason why you send cooked
data over to port 514 ?
Its not blocked, telnet is working.
I added the linux to 514 because all windows fowarders are sending data to 9997.
Have you searched on all indexes over all time?
What does the index=_internal
on the indexer report for the forwarder?
9/21/15
4:39:57.000 PM
Sep 21 17:39:57 fowarderservername sshd[31627]: Accepted password for joao.admin from 192.168.168.168 port 2326 ssh2
host = fowarderservername index = main linecount = 1 source = /var/log/secure sourcetype = linux_secure splunk_server = RJMSRV067 splunk_server_group = dmc_group_deployment_server splunk_server_group = dmc_group_indexer
Seems data data is being sent to the main index and not linux index that i have created