Hi all- I have a free splunk server setup which is gathering all my syslog data from switches, etc.
Im moving on to get our OS's to forward their log data to splunk. Everything I talked of here is on linux, intalled using the RPM.
I set up the splunk server to receive on port 9997.
After installing it, I followed the docs and ran the following on the remote host:
cd /opt/splunk/etc
mv splunk-forwarder.license splunk.license
cd /opt/splunk/bin
./splunk start
./splunk enable app SplunkLightForwarder
./splunk restart
./splunk add forward-server :9997
./splunk restart
However I dont have anything showing on the splunk server for that host. This is a server where lots gets dumped to /var/log/messages so there should be something showing in the splunk server for it. Im pretty green on splunk right now and am probably missing something easy but cant find it - Ive searched lots before posting. Id appreciate any help.
Thanks!
Hi ryamry
I am also stucked on the same situation as yours. Can you advise me on what you did?
I am not also seeing the host on the splunk server.
here is what my setup went:
1) install full splunk on server1. Installed *nix app and verified that it is collecting data.
2) install full splunk on server2. Installed *nix app and verified that it is collecting data.
3) configure receiving on splunk server1 to port 9997.
4) Enabled forwarding on server2.
**cd /opt/splunk/bin
./splunk start
./splunk enable app SplunkLightForwarder
./splunk restart
./splunk add forward-server :9997
./splunk restart**
5) Opened splunk server1 web but did not see server2.
Please advise, I appreciate your help thank you.
If those are all your steps, it doesn't look like you configured your forwarder to collect any data, so it may not have anything to forward. I recommend configuring your forwarder as a full Splunk, initially, until you can confirm that it is collecting data. Once the data is right, use Manager-->Forwarding/Receiving to configure forwarding. You can even convert to a Lightweight Forwarder (LWF) in the UI.
Here are some additional notes that you might find helpful, in terms of getting some valuable data from a Linux host and configuring forwarding: http://answers.splunk.com/questions/11579/splunk-for-nix/11581#11581
If you need to convert your LWF back into a full Splunk to get it configured, stop Splunk and restore your free demo license. You can use the following command to turn a LWF into a full Splunk:
splunk disable app SplunkLightForwarder
HTH
ron
nevermind. I figured out how to do it with just syslog.
destination logserver { udp("10.1.1.1" port(514)); };
log { source(src); destination(logserver); };
Thanks anyways.
I dont want all the info that is taken with the *nix app. All I want to be forwarded is the log data. Is there a simple command I can run from the cli to do this?