Deployment Architecture

Unable to forward data to Splunk Cloud Instance

sairam109
New Member

hi,

I have a local server on my network and would like to send data from this local host to the cloud instance. I have followed the instructions here, https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/ConfigSCUFCredentials and installed the splunkclouduf.spl obtained from my cloud instance profile. However I seem to be getting the following errors:

11-12-2021 13:56:53.874 +0800 WARN X509Verify [30879 HTTPDispatch] - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates>
11-12-2021 13:56:53.901 +0800 INFO UiHttpListener [30942 WebuiStartup] - Web UI disabled in web.conf [settings]; not starting
11-12-2021 13:56:54.039 +0800 INFO TcpOutputProc [30923 parsing] - _isHttpOutConfigured=NOT_CONFIGURED
11-12-2021 13:56:54.040 +0800 ERROR TcpOutputProc [30923 parsing] - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
11-12-2021 13:56:58.961 +0800 WARN TailReader [30932 tailreader0] - Could not send data to output queue (parsingQueue), retrying...

 

I thought that once we deploy via the splunkclouduf.spl, we need not configure any outputs.conf file?

 

Any assistance is greatly appreciated.

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
You are running UF as a splunk user and also that splunkclouduf.spl are installed and owner by this user?
r. Ismo
0 Karma

sairam109
New Member

Hi Ismo,

Nice to e-meet you 🙂 Thanks for responding to my query.

It appears I might have somehow messed up the installation using the spl credential file. I just did a reinstall and seems to be working fine now. Thanks! Apologies for the inconvenience! 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Nice to hear that it works for you. Happy splunking
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!