[default] host = linux_fowarder_server [monitor:///var/log/secure] disabled = false
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = SPLUNKSERVERNAME:514 [tcpout-server://SPLUNKSERVERNAME:514]
[deployment-client] clientName = LinuxForwarder [target-broker:deploymentServer] targetUri= SPLUNKSERVERNAME:8089
[sslConfig] sslKeysfilePassword = $1$INbYbpZpebsv [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder quota = MAX slaves = * stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free quota = MAX slaves = * stack_id = free [general] pass4SymmKey = $1$d5qMMtMvMukv serverName = _linux_fowarder_server_name
I've already enabled port 514 and 9997 in splunk server.
check if there is any firewall blocking or any possible network route failure.
Any reason why you send
cooked data over to port 514 ?
Its not blocked, telnet is working.
I added the linux to 514 because all windows fowarders are sending data to 9997.
Have you searched on all indexes over all time?
What does the
index=_internal on the indexer report for the forwarder?
Sep 21 17:39:57 fowarderservername sshd: Accepted password for joao.admin from 192.168.168.168 port 2326 ssh2
host = fowarderservername index = main linecount = 1 source = /var/log/secure sourcetype = linuxsecure splunkserver = RJMSRV067 splunkservergroup = dmcgroupdeploymentserver splunkservergroup = dmcgroup_indexer
Seems data data is being sent to the main index and not linux index that i have created
You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.
Yes, I can see there, I've changed my inputs.conf in fowarder server to bellow and is working!
host = fowarderservername
disabled = false
Thank you very much somesoni2
like @somesoni2 said use an
inputs.confthat specifies the
[monitor:///var/log/secure] disabled = false index = linux
and restart the forwarder. Any new added events will be in