I've installed universal forwarder on linux system and have configured the forwarder to forward linux log to indexer ip 3.4.5.6:
inputs.conf
[monitor://path.../myfile]
host = 1.2.3.4
sourcetype = linux:log
output.conf
[tcpout]
server = 3.4.5.6
Still unable to receive any logs from the forwarder yet. Anything I've missed?
You can find it here :-
/opt/splunk/etc/system/local/outputs.conf
Well, you may find several outputs.conf files on your system, popular paths include:
Don't mess with any of the ../default/outputs.conf files.
The problem may also lie elsewhere;
'/opt/splunkforwarder/bin/splunk btool outputs list'
to see the current configuration for outputs.'netstat -an | grep 3333'
. If you do not see that the connection is ESTABLISHED, you may have a firewall blocking the traffic.Hope this helps,
Kristian
I've re-checked the documentation and followed the syntax.
In inputs.conf
[monitor:///path.../myfile]
host = 1.2.3.4
sourcetype = linux:log
outputs.conf
[tcpout-server://3.4.5.6:3333]
compressed=false
Understood that outputs.conf is provided with universal forwarder in the search app.I can't find it, and if were to create it manually should it be placed at opt/splunk/etc/../search/default ?
So...anyone knows where to locate outputs.conf that comes with universal forwarder...
you should define a port;
eg
[tcpoutip_port]
server = ip:port
and then ensure you have seutp your indexer to receive on the same port.
To then verify on the web gui that there is connectivity or to help troubleshoot then you could perform a search as an admin like;
index=_internal tcpin*