I would like to configure the heavy forwarder to forward the syslog message to indexer. The forwarder is created with TCP/UDP 514 input for listening the syslog data, however nothing can be searched from the indexer.
I have installed the Deployment monitor app and the forwarders have data coming in.
Is there any configuration need to be done in the indexer?
Following is the info from deployment monitor app
Hostname:
linux01
Current Status:
active
Last Time Data Received:
06/20/2014 03:15:51
Forwarder Type:
heavy forwarder
Splunk Version:
6.1.1
Platform:
Linux on x86_64
Source IP:
192.168.8.5
Destination Port:
9997
Connections This Period:
23
Average KB Per Second:
38.1618
Average Events Per Second:
3.1206
... View more