Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

log forwarding doesnt work, linux

konradwawryn
Explorer
‎01-08-2013 07:27 AM

Hi,

it would be great if somebody could help me. Since few hours I`m trying to configure log forwarder, but without result.

This is my scenario:

(1)ApplicationServer --> (2)SomeServer with Splunkforwarder --> (3)Splunk server

(1)hostname:appserver Application server(Tomcat) generating logs. On the same machine I have installed Splunkforwarder which forwarding(not working at the moment) logs to machine (2).

(2)hostname:logforwarder Someserver with Splunkforwarder - this machine needs to receive all logs from machine (1) and forward it to machine number (3)

(3)hostname:webpanel Splunk server - webpanel

Maybe somebody could paste here content of inputs.conf / outputs.conf for appserver , logforwarder. I would like to finaly establish connection between that machines.

Thanks in advance for Your help.

0 Karma
Reply

emiller42
Motivator
‎01-08-2013 08:08 AM

To accomplish this the second host in the chain needs to be a full version of splunk, not a Universal Forwarder. This is because the intermediary will be acting as an indexer to collect any data forwarded to it.

So on your application server, in it's Universal forwarder instance, you will want an outputs.conf with something like:

[tcpout]
server=logforwarder

Then, on the logforwarder machine, you will have a full splunk install, but it will also have a outputs.conf indicating where it should send it's data to:

[tcpout]
server=webpanel

logforwarder does not need an inputs.conf, as it's not monitoring any logs directly. It's simply accepting incoming data much like an indexer would. You would also want to have any other props.conf stanzas present that are relevant at index-time. (line breaking, timestamps, etc)

0 Karma
Reply

konradwawryn
Explorer
‎01-08-2013 07:49 AM

Appserver cannot forward directly to webpanel because it is located in DMZ. I need to transfer logs using machine(some kind of gateway) which have an access to DMZ and LAN.

Appserver(DMZ) --- firewall = port 8089/9997 open --> logforwarder(DMZ) --- firewall between DMZ and LAN = port 8089/9997 open --> webpanel(LAN)

I would like to know how to configure inputs.conf and outputs.conf files on that first two machines.

0 Karma
Reply

emiller42
Motivator
‎01-08-2013 07:41 AM

Can you be more specific in the roles each of these servers plays? Why isn't appserver forwarding directly to webpanel?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...