Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- splunk stopped forwarding...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a simple setup. A light forwarder, forwarder and an indexer. The light forwarder stopped working about 5 days ago. Now the registration did expire on all three systems. Would that explain why the forwarding stopped working? Nothing was changed or altered on the systems to my knowledge.
The only trouble shooting steps I've taken were to change the license files of the forwarder and light forwarder to licensed forwarders I just copied the licensed files, they are still not registered.
Any idea what I need to do to get my log files forwarded to the indexer again? Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What OS'es are you usings for the indexer and or LWF's ? The license issue should be addressed immediately. That could account for the the loss of the LWF functionality. Did you restart the splunk indexer and LWF daemons after you made the licensing changes and or enabled LWFing?
You can verify that your Splunk indexer is accepting connections to your recieving port by 1) testing the connection, by "Telnet ServerIPaddress ListeningPort or 1.2.3.4 9999" from LWF to Splunk indexer.
2) Verify IF your IP addess has established a connection with your indexer by netstat -an | more or netstat -an > myportconns.log
HTH's - Otherwise let me know what happens next?
V.
ps..Spaces count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What OS'es are you usings for the indexer and or LWF's ? The license issue should be addressed immediately. That could account for the the loss of the LWF functionality. Did you restart the splunk indexer and LWF daemons after you made the licensing changes and or enabled LWFing?
You can verify that your Splunk indexer is accepting connections to your recieving port by 1) testing the connection, by "Telnet ServerIPaddress ListeningPort or 1.2.3.4 9999" from LWF to Splunk indexer.
2) Verify IF your IP addess has established a connection with your indexer by netstat -an | more or netstat -an > myportconns.log
HTH's - Otherwise let me know what happens next?
V.
ps..Spaces count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pardon what version are you using? Are you using a specific index to forward the information from the LWF to the Forwarder/ Main Splunk indexer server? If not look at the index it is using and query that index from the Splunk server. Have you looked at the splunk logs on the LWforwarder * Default? /opt/splunk/var/logs?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The O/S is RH5-64. The license issue has been addressed. However, this instance of Splunk still does not seem to accept data from forwarders or light forwarders. The ports on the indexer are on and listening and there is no firewall in between the host and the indexer. I run a TCP Dump on the indexer and I see data from the light forwarder. However I can't seem to query the data.
Does this have anything to do with the licensing at this time? We have applied a license to the indexer though.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
