Getting Data In

How to troubleshoot configuration mismatch in inputs.conf and outputs.conf?

antifreke
Path Finder

Background, I am not an engineer and have little engineering experience. In setting up my instance, I have a question about the .Conf files.

Search Head - x.x.x.25
Syslog Server - x.x.x.24
Indexer 1- x.x.x.23

if I'm forwarding syslog data on udp 514, I have the following:

inputs.conf

[udp://514]
connection_host=dns
index=syslog
sourcetype=syslog

outputs.conf

[syslog:syslogGroup]
server = x.x.x.23:9997

[tcpout:indexer1]
server:x.x.x.23:9997

When I run list forward-server, I get the following:

Active forwards: none
configured but inactive: x.x.x.23:9997

Any ideas how I got this mismatch and what I need to do do make them active? I currently have no issues with networking, no firewalls, and can openly ping between devices. Thoughts?

0 Karma
1 Solution

lguinn2
Legend

Your outputs.conf is misconfigured. It should be

[tcpout:group1]
server=x.x.x.23:9997

The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."

The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.

For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log

View solution in original post

0 Karma

lguinn2
Legend

Your outputs.conf is misconfigured. It should be

[tcpout:group1]
server=x.x.x.23:9997

The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."

The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.

For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log

0 Karma

antifreke
Path Finder

Alright, I have that up.. but I think I figured out part of my problem in rsyslog.conf. Does the following look like I did this correctly?

if $fromhost-ip startswith 'x.x.x.23; then /var/log/rsyslog/devices.log
&~
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...