Hi Splunkers, I have a strange situation about a some universal forwarders. On some Windows host, a colleague has installed the UF using the graphical wizards. Those forwarders must be managed with...
See more...
Hi Splunkers, I have a strange situation about a some universal forwarders. On some Windows host, a colleague has installed the UF using the graphical wizards. Those forwarders must be managed with a Deployment server. He has NOT used the "customize" options; so, he has not set which logs must be sent to HF (Application, Security and so on) and a destination HF/Indexers. He has only inserted: Admin username and password Deployment server IP address and port As wrote above, he didn't inserted HF and/or Indexers; the idea is that once the UF has spoken with the Deployment server, 2 apps that contains inputs.conf and outputs.conf are downloaded and, after that, logs are sent. On Deployment server (we checked), the apps that should to be downloaded form UF have been created and contains the above 2 files. So, why I wrote "the apps that should be downloaded?" Well, due logs are not collected and sent to HF, we performed some troubleshoot and we found that apps has not been downloaded. I mean: on host where UF is installed, if we go on $SplunkUFHOME$\etc\apps, the 2 apps are not present. So, that means that no custom inputs.conf and outputs.conf are present on UF. Only the default provided with installation are present. First thing we thought: ok, we have network issues. But it seems not: we are perfectly able, from host with UF, to ping and telnet deployment server on its port. At same time, we can access firewall that manage this traffic and we don't see, on firewall logs, any evidence of blocked/truncated connections. UF can reach DS and vice versa without issues. We tried so to manually copy folders with apps inside UF (I know, very bad things, don't blame me please...) but the situation is always the same. So, the question is: if no network issues are present, what can be the root cause about no downloaded apps?