Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise integration with Universal forwarder

13011994
New Member
‎03-02-2017 03:22 AM

Hi Team,

We are running Splunk Enterprise 6.4.1 in windows machine .We are able to monitor local system logs and applications.

But we need to monitor remote windows machine. So we installed universal forwarder 5.0 in another machine and gave the following settings

1) Added forwarder server with port 9997 in Universal forwarder
2)Enabled receiver on 9997 port on Splunk Enterprise

After giving this configuration when we list the forwarder- server in universal forwarder we are getting
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe list forward-server
Active forwards:
None
Configured but inactive forwards:
receiving host:9997

Plz let us know to debug this issue

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-02-2017 08:35 AM

As @richgalloway said: "Why use such an old Universal Forwarder?" Also, any 6.x forwarder has major performance and feature improvements over version 5.x forwarders.

But I suspect that the actual problem is in the outputs.conf file on the forwarder OR that the network route between the forwarder and the indexer is blocked in some way. Check the splunkd.log on the forwarder; you will find it under the forwarder's installation directory at var/log/splunk. In splunkd.log, you should see whether the forwarder is able to connect to the indexer. The splunkd.log will also show if Splunk has problems reading the input files, etc.

0 Karma
Reply

13011994
New Member
‎03-06-2017 01:03 AM

Hi Iguinn,

I am getting the below error. Can u say how to resolve this issue?

+0530 WARN TcpOutputProc - Cooked connection to ip=dest ip address:9997 timed out
+0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
+0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
+0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
+0530 WARN TcpOutputProc - Cooked connection to ip=dest ip address:9997 timed out

Regards,
Udhaya

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2017 05:11 AM

Which version of UF is reporting the errors?
Verify the IP address matches that of your deployment server. If you don't have a deployment server, modify your config to have the UF send data directly to indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2017 04:39 AM

Why are you using such an old Universal Forwarder? Major version numbers should match between UF and Splunk core. Try installing a 6.4.x UF.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...