Getting Data In

splunk stopped forwarding...

DTERM
Contributor

I have a simple setup. A light forwarder, forwarder and an indexer. The light forwarder stopped working about 5 days ago. Now the registration did expire on all three systems. Would that explain why the forwarding stopped working? Nothing was changed or altered on the systems to my knowledge.

The only trouble shooting steps I've taken were to change the license files of the forwarder and light forwarder to licensed forwarders I just copied the licensed files, they are still not registered.

Any idea what I need to do to get my log files forwarded to the indexer again? Thanks in advance.

Tags (1)
0 Karma
1 Solution

Voltaire
Communicator

What OS'es are you usings for the indexer and or LWF's ? The license issue should be addressed immediately. That could account for the the loss of the LWF functionality. Did you restart the splunk indexer and LWF daemons after you made the licensing changes and or enabled LWFing?

You can verify that your Splunk indexer is accepting connections to your recieving port by 1) testing the connection, by "Telnet ServerIPaddress ListeningPort or 1.2.3.4 9999" from LWF to Splunk indexer.

2) Verify IF your IP addess has established a connection with your indexer by netstat -an | more or netstat -an > myportconns.log

HTH's - Otherwise let me know what happens next?

V.

ps..Spaces count

View solution in original post

Voltaire
Communicator

What OS'es are you usings for the indexer and or LWF's ? The license issue should be addressed immediately. That could account for the the loss of the LWF functionality. Did you restart the splunk indexer and LWF daemons after you made the licensing changes and or enabled LWFing?

You can verify that your Splunk indexer is accepting connections to your recieving port by 1) testing the connection, by "Telnet ServerIPaddress ListeningPort or 1.2.3.4 9999" from LWF to Splunk indexer.

2) Verify IF your IP addess has established a connection with your indexer by netstat -an | more or netstat -an > myportconns.log

HTH's - Otherwise let me know what happens next?

V.

ps..Spaces count

Voltaire
Communicator

Pardon what version are you using? Are you using a specific index to forward the information from the LWF to the Forwarder/ Main Splunk indexer server? If not look at the index it is using and query that index from the Splunk server. Have you looked at the splunk logs on the LWforwarder * Default? /opt/splunk/var/logs?)

0 Karma

DTERM
Contributor

The O/S is RH5-64. The license issue has been addressed. However, this instance of Splunk still does not seem to accept data from forwarders or light forwarders. The ports on the indexer are on and listening and there is no firewall in between the host and the indexer. I run a TCP Dump on the indexer and I see data from the light forwarder. However I can't seem to query the data.

Does this have anything to do with the licensing at this time? We have applied a license to the indexer though.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...