Installation

Forwarding logs from server to local system

vijay_n
Engager

Hi, 

I have installed universal forwarder in a cloud instance(linux),  then I installed splunk enterprise in my local machine(laptop) which is running win 10. I want to forward logs from linux machine to my laptop's splunk's indexer.

The problem is , what server IP should I be given in Linux universal forwarder/etc/system/local/outputs.conf

[tcpout:example]

server=?????

I tried giving my IP ***.***.**.*** :9997, but there is no use.

In my laptop, the splunk is running at localhost:8000.

Please help me with this.

Thanks.

Labels (4)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Splunk server is like any other network service daemon. To connect forwarder to receiver (indexer) you need to have the network level visibility like with any other service (web server for example).

So if you can't do that on your own, get some local help with your network setup. There are so many different scenarios that we can't help you get a good advice without detailed knowledge of your networking environment.

Just remember that exposing your laptop services directly to open internet might not be the best idea unless you know really well what you're doing.

0 Karma

vijay_n
Engager

Thank you for the information.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

You have to give the public IP of your laptop. And make sure the 9997 port of your laptop should be accessible publicly.

 

Though you are doing stuff on the public internet you have to take security measures like allowed IPs, SSL, etc.

0 Karma

vijay_n
Engager

HI, I tried adding the firewall rules by allowing tcp for 8000 and 9997, but it didn't helped.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Try checking with telnet to see if the network is okay or not.

Make sure you have enabled data receiving on the indexers.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...