I am trying to get a Windows 2008 box hooked into Splunk cloud.
Specifically I want to forward logs from a custom log file to my Splunk Cloud 14 day trail account.
I have downloaded and installed the Universal forwarder from the generic download page (instructions stating I'd get a 'welcome email with custom download' appear to be incorrect).
I have installed the universal forwarder and configured its 'etc\system\local\outputs.conf' file like so:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997
[tcpout-server://input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997]
Running 'splunk list monitor' shows I'm monitoring files:
c:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor
Your session is invalid. Please login.
Splunk username: admin
Password:
Monitored Directories:
$SPLUNK_HOME\var\log\splunk\splunkd.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\audit.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\first_install.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_audit.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\mongod.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\scheduler.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\searchhistory.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd-utility.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_access.log
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_ui_access.log
$SPLUNK_HOME\var\spool\splunk\...stash_new
Monitored Files:
$SPLUNK_HOME\etc\splunk.version
C:\Program Files (x86)\mmc-distribution-mule-console-bundle-3.6.0\mule-enterprise-3.6.0\logs\mule_ee.log
and a tail of the splunkd.log shows this:
01-22-2015 14:35:09.789 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:35:39.071 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:36:09.077 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
And nothing is being logged to the Cloud.
How do I further debug this??
... View more