Solved: Why is my Linux forwarder not sending data to a Wi...

venanciop · ‎09-21-2015

inputs.conf

[default]
host = linux_fowarder_server

[monitor:///var/log/secure]
disabled = false

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = SPLUNKSERVERNAME:514

[tcpout-server://SPLUNKSERVERNAME:514]

deploymentclient.conf

[deployment-client]
clientName = LinuxForwarder
[target-broker:deploymentServer]
targetUri= SPLUNKSERVERNAME:8089

server.conf

[sslConfig]
sslKeysfilePassword = $1$INbYbpZpebsv

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free

[general]
pass4SymmKey = $1$d5qMMtMvMukv
serverName = _linux_fowarder_server_name

I've already enabled port 514 and 9997 in splunk server.

somesoni2 · ‎09-21-2015

You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.

View solution in original post

MuS · ‎09-21-2015

Hi venanciop,

like @somesoni2 said use an inputs.confthat specifies the index:

[monitor:///var/log/secure]
disabled = false
index = linux

and restart the forwarder. Any new added events will be in index=linux

cheers, MuS

venanciop · ‎09-22-2015

Yes, it worked!! Thank you very much!

somesoni2 · ‎09-21-2015

You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.

venanciop · ‎09-21-2015

Yes, I can see there, I've changed my inputs.conf in fowarder server to bellow and is working!

[default]
host = fowarder_server_name

[monitor:///var/log/secure]
disabled = false
index=linux

Thank you very much somesoni2

MuS · ‎09-21-2015

check if there is any firewall blocking or any possible network route failure.
Any reason why you send cooked data over to port 514 ?

venanciop · ‎09-21-2015

Its not blocked, telnet is working.

I added the linux to 514 because all windows fowarders are sending data to 9997.

MuS · ‎09-21-2015

Have you searched on all indexes over all time?
What does the index=_internal on the indexer report for the forwarder?

venanciop · ‎09-21-2015

9/21/15

4:39:57.000 PM

Sep 21 17:39:57 fowarderservername sshd[31627]: Accepted password for joao.admin from 192.168.168.168 port 2326 ssh2
host = fowarderservername index = main linecount = 1 source = /var/log/secure sourcetype = linux_secure splunk_server = RJMSRV067 splunk_server_group = dmc_group_deployment_server splunk_server_group = dmc_group_indexer

venanciop · ‎09-21-2015

Seems data data is being sent to the main index and not linux index that i have created

Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation