Getting Data In

Why is my Linux forwarder not sending data to a Windows Splunk server with my current configuration?

venanciop
New Member

inputs.conf


[default]
host = linux_fowarder_server

[monitor:///var/log/secure]
disabled = false

outputs.conf


[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = SPLUNKSERVERNAME:514

[tcpout-server://SPLUNKSERVERNAME:514]

deploymentclient.conf


[deployment-client]
clientName = LinuxForwarder
[target-broker:deploymentServer]
targetUri= SPLUNKSERVERNAME:8089

server.conf


[sslConfig]
sslKeysfilePassword = $1$INbYbpZpebsv

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free

[general]
pass4SymmKey = $1$d5qMMtMvMukv
serverName = _linux_fowarder_server_name

I've already enabled port 514 and 9997 in splunk server.

0 Karma
1 Solution

somesoni2
Revered Legend

You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi venanciop,

like @somesoni2 said use an inputs.confthat specifies the index:

[monitor:///var/log/secure]
disabled = false
index = linux

and restart the forwarder. Any new added events will be in index=linux

cheers, MuS

venanciop
New Member

Yes, it worked!! Thank you very much!

0 Karma

somesoni2
Revered Legend

You should specify the index name in the inputs.conf monitoring stanza. If you don't specify the index name, data will go to "main" index by default. Check index=main all time to see if you can see your data.

View solution in original post

venanciop
New Member

Yes, I can see there, I've changed my inputs.conf in fowarder server to bellow and is working!

[default]
host = fowarder_server_name

[monitor:///var/log/secure]
disabled = false
index=linux

Thank you very much somesoni2

0 Karma

MuS
SplunkTrust
SplunkTrust

check if there is any firewall blocking or any possible network route failure.
Any reason why you send cooked data over to port 514 ?

0 Karma

venanciop
New Member

Its not blocked, telnet is working.

I added the linux to 514 because all windows fowarders are sending data to 9997.

0 Karma

MuS
SplunkTrust
SplunkTrust

Have you searched on all indexes over all time?
What does the index=_internal on the indexer report for the forwarder?

0 Karma

venanciop
New Member
9/21/15 

4:39:57.000 PM

Sep 21 17:39:57 fowarderservername sshd[31627]: Accepted password for joao.admin from 192.168.168.168 port 2326 ssh2
host = fowarderservername index = main linecount = 1 source = /var/log/secure sourcetype = linux_secure splunk_server = RJMSRV067 splunk_server_group = dmc_group_deployment_server splunk_server_group = dmc_group_indexer

0 Karma

venanciop
New Member

Seems data data is being sent to the main index and not linux index that i have created

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!