I have installed Splunk Light on a server and installed the Windows Forwarding agent on a separate server to forward Windows Event Logs. I entered the host name of the splunk server during the install process.
I have opened port 9997 on the firewall between these two machines but when I go to Add Data -> Forwarders, the forwarding server doesn't show up. It only says "There are currently no forwarders configured as deployment clients to this instance".
The forwarder was installed using local system account.
Can anyone tell me what I'm missing here?
Just following up with this post, but did @ogdin's answer and comment help solve your question? If yes, don't forget to resolve the post by clicking "Accept" directly below the answer. Thanks!
You also need to point the Forwarder to the Splunk Light server as a Deployment Client. Go to $SPLUNK_HOME/bin on the Forwarder and do:
splunk set deploy-poll splunklight-servername/ip:splunklight-mgmt-port
The management port is 8089 by default. Then you should see the Forwarder in the Add Data -> Forwarders Section once the Forwarder handshakes with the server. Might not show up immediately but give it a sec and you will see it.
Thanks for that Ogdin. I tried that, but still don't get any traffic past my firewall policy. The new log entry is:
DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
I'm having the same problem. Why does the Forwarder default to pot 9997, but the Splunk Light instance only listen on 8087?
Also, when I enter in the splunk set dploy-poll.10.1.1.1:8087, I get asked for a Splunk user/pass. My instance account didn't work.
For this purpose, the only relevant ports open by default on the Splunk Light instance are 8000 for the Web interface and 8089 for the management port. These can be changed during Splunk start up if the ports are already taken. To get a Forwarder connected to send data to a Splunk Light instance AND under the control of the Splunk Light instance, you need to do a couple of things.
You should now see the Forwarder in the Add Data, Forwarded inputs section on the Splunk Light instance.
thanks for that info. I installed the forwarder on my local machine (win 8.1) and can see in my firewall logs successful communication with my splunk server on 9997 and 8089 from my machine but still don't see any forwarders in Splunk. As for the command "splunk set deploy-poll : ", i'm not quite sure what to do with that. I opened a command window to that directory and entered that command but get a weird message.
C:\Program Files\SplunkUniversalForwarder\bin>splunk set deploy-poll :
Operation "ospath_fopen" failed in c:\splunk\build-src\6.2.2\src\libzero\conf-mu
tator-locking.c:311, conf_mutator_lock(); No error
I have been able setup remote event log capturing but would still like to figure out how to use the forwarder.