I'm running Splunk 4.2.3 on Centos 6, and universal forwarder 4.2.3 on (2) Centos 5 servers and (2) Windows 2008 R2 Servers. I installed the universal forwarder onto the Centos and Windows servers within 30 minutes of each other. I'm seeing data from the Windows servers in my Splunk host/server, but now the Centos servers. Each of the forwarders uses the same ip address and port number for the host/receiver. A "netstat -an | grep port number" run on the Centos forwarders shows that they are connected to my host/receiver. The "/opt/splunkforwarder/var/log/splunk/splunkd.log" also shows that the forwarder is connected to the host/received. I've restarted the forwarder service on each forwarder, and changed the forwarder log afterward. In each case the forwarder connects to the host/receiver. I have no errors in the log file, no errors in /var/log/messages. The forwarder service starts without error. Obviously there isn't a firewall on the forwarders that's blocking the communications between the host and the forwarder, as shown by the output of "netstat -an | grep port number". I did check "inputstatus" as recommended in another users's question, but being new to Splunk, I couldn't find anything that looked wrong.
So, does anyone have any ideas?
... View more