why is the data from splunk forwarder --splunk-cooked-mkode-v3-- then about 103 x00 then the computername fillowed by 241 x00 then 8089 followed by 12 more x00?
I have tried to find something on the web that made sense to me to discover what the problem is. I used Wireshark on the Windows 7 machine to trap the data. The data looks the same on my Ubuntu 12.10 Splunk standalone indexer.
Thanks
Lewis
"I have tried to find something on the web that made sense to me to discover what the problem is." What exactly is the problem you are referencing/experiencing? 8090 is the management port the deployment server uses. Probably the client checking in with the deployment server. See step one.
http://docs.splunk.com/Documentation/Splunk/latest/Updating/Howdeploymentupdateshappen
Sounds like you've setup a TCP input (in the "Inputs" section in splunkweb) instead of a receiving port (In "Forwarding and receiving"). TCP inputs are read by Splunk as-is, while receiving ports are used for receiving data in the proprietary format that's used for forwarded data from one Splunk instance to another. Make sure you're sending forwarded data to a receiving port.
lewis15. Please see answer I suggested. I believe you are seeing the deployment server poll packet.
Fine. So, what's the actual problem you're experiencing?
all null characters is not proprietary!!!!!!!!!!!!!!!!!!
If there was data/information it would not be all 000000000000000000000000000s
I don't know what else I can say to make you understand this. Data is sent in a proprietary format that will be more than just any log data sent. This is not a problem, this is just the way the data is sent.
If the data that is in the network layer is going to be in the output layer. Also I replaced the universal forwarder with a full Splunk version setup for forwarding and it does the same thing, just sends the computer name and lots of x00s.
Highly possible. You really should look for that in Splunk itself, not try to decipher it on the network layer.
So there isn't any event log data sent, just nulls - x00
OK. What you are seeing is Splunk's own proprietary format for sending data. There's various metadata added apart from the actual raw event. This is not a problem, that's just how it's sent on the wire.
I am looking at the data leaving the forwarder using wireshark.
No, I'm not talking about the forwarder, I'm talking about the Splunk instance you're sending data TO from the forwarder.
universal forwarder does not use splunkweb. There isn't an option in the windows setup to select TCP or UDP.