Getting Data In

universal forwarder

sarah89
Path Finder

please I need help ,

I deployed a universal forward by following tutorial "distributed deployement manual"

The universal forward is in the machine configured like this:

inputs.conf
[default]
host = atelcom-62de949

[monitor://Documents and Settings\sarah\Bureau\splunk image]
disabled = false

output.conf

[tcpout]
defaultGroup = 192.168.0.45_9997
[tcpout:192.168.0.45_9997]
server = 192.168.0.45:9997
[tcpout-server://192.168.0.45:9997]

The Splunk instance (the indexer) is installed in a windows server 2008 virtual machine.
I enable the receiver but when i use the deployment monitor to see the forwarder and I don't find anything from it, it doesn't seem to be working.
Can you please tell me how to fix this?

Tags (1)

sarah89
Path Finder

i had to disable the firewalls of windows server 2008

sarah89
Path Finder

thk's a lot , i get it

0 Karma

Ayn
Legend

You should have a look at splunkd.log on the indexer to see what error messages you're getting. Ideas on possible problems: non-SSL connection to an SSL enabled listening port, mismatch on compression settings.

0 Karma

sarah89
Path Finder

splunk server :

Process= splunkd.exe
PID=1360
Protocol= TCP
Local address= lab2008
Local port =9997
Remote address= lab2008
Remote port=0
Stat= LISTENING

universal forwarder :

Process= splunkd.exe
PID=1332
Protocol= TCP
Local address= atelcom-62de949.ssg20-wlan
Local port =1215
Remote address= lab2008
Remote port=9997
Stat= etablished

0 Karma

Ayn
Legend

Can you connect to the indexer on port 9997 from the host you're running the Universal Forwarder on?

0 Karma

sarah89
Path Finder

hello alls

please can anyone help me , i'm stucking here , i couldn't figure it out

0 Karma

sarah89
Path Finder

tell me please , how the inputs.conf and outputs.conf of the indexer looks like ?

0 Karma

sarah89
Path Finder

i have only info and warm like this
04-08-2012 11:59:01.265 +0100 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...

4-08-2012 12:01:25.781 +0100 WARN TcpOutputProc - Cooked connection to ip=192.168.0.45:9997 timed ou

0 Karma

MarioM
Motivator

check if any error in your Forwarder splunkd.log (splunkforwarder\var\log\splunk\)

0 Karma

sarah89
Path Finder

i still have the problem , please tell what i shoul do to fix this

0 Karma

sarah89
Path Finder

thk's i will try to add this to the path

0 Karma

sarah89
Path Finder

how can i see the splunkd.log around connections to the indexer

0 Karma

twkan
Splunk Employee
Splunk Employee

I am not sure if it's a typo error, but can you verify your file is outputs.conf and not output.conf like what you have mentioned?

0 Karma

sarah89
Path Finder

i checked it ,it outputs.conf not output.conf
it's was just a typo error

0 Karma

MHibbin
Influencer

Shouldn't the file path in the monitor stanza be absolute, i.e. include the disk. for example...

[monitor://C:\Documents and Settings\sarah\Bureau\splunk image]

Or whatever the location may be... I've always used the absolute path to be certain.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Could you provide some details around what you're seeing in Splunkd.log around connections to the indexer?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...