Getting Data In

Why is my Splunk Light instance not showing any forwarders configured as deployment clients?

yschiff
New Member

I have installed Splunk Light on a server and installed the Windows Forwarding agent on a separate server to forward Windows Event Logs. I entered the host name of the splunk server during the install process.

I have opened port 9997 on the firewall between these two machines but when I go to Add Data -> Forwarders, the forwarding server doesn't show up. It only says "There are currently no forwarders configured as deployment clients to this instance".

The forwarder was installed using local system account.

Can anyone tell me what I'm missing here?

0 Karma

ppablo
Retired

HI @yschiff

Just following up with this post, but did @ogdin's answer and comment help solve your question? If yes, don't forget to resolve the post by clicking "Accept" directly below the answer. Thanks!

ogdin
Splunk Employee
Splunk Employee

You also need to point the Forwarder to the Splunk Light server as a Deployment Client. Go to $SPLUNK_HOME/bin on the Forwarder and do:

splunk set deploy-poll splunklight-servername/ip:splunklight-mgmt-port

The management port is 8089 by default. Then you should see the Forwarder in the Add Data -> Forwarders Section once the Forwarder handshakes with the server. Might not show up immediately but give it a sec and you will see it.

ferdie
Explorer

Thanks for that Ogdin. I tried that, but still don't get any traffic past my firewall policy. The new log entry is:
DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

0 Karma

ferdie
Explorer

Well, nevermind. I changed my firewall to allow all traffic, and now it works. I have the Forwarder communicating and configured on my "instance." Whew, that only took 4 hours. 🙂

0 Karma

ferdie
Explorer

I'm having the same problem. Why does the Forwarder default to pot 9997, but the Splunk Light instance only listen on 8087?

Also, when I enter in the splunk set dploy-poll.10.1.1.1:8087, I get asked for a Splunk user/pass. My instance account didn't work.

0 Karma

ogdin
Splunk Employee
Splunk Employee

Hi ferdie,

For this purpose, the only relevant ports open by default on the Splunk Light instance are 8000 for the Web interface and 8089 for the management port. These can be changed during Splunk start up if the ports are already taken. To get a Forwarder connected to send data to a Splunk Light instance AND under the control of the Splunk Light instance, you need to do a couple of things.

  1. Open a port on the Splunk Light instance to listen for data from the forwarder. You can do this via the Splunk Light UI in the Data, Receiving section. Let's say you select 9997.
  2. On the Forwarder, tell it where to send data. You can do this from the CLI by using splunk add forward-server 10.0.0.2:9997 Where 10.0.0.2 is the address of your Splunk Light server and 9997 is the port you opened to listen. On the forwarder, you will be asked to authenticate locally and if you have not changed the password, the default is admin/changeme.
  3. On the Forwarder, tell it you want to control the Forwarder from the Splunk Light instance. Use: splunk set deploy-poll 10.0.0.2:8089 Note that data goes to one port (9997) and management is done through another port (8089). You will also be asked to authenticate again locally to the Forwarder with the default admin/changme.

You should now see the Forwarder in the Add Data, Forwarded inputs section on the Splunk Light instance.

0 Karma

yschiff
New Member

thanks for that info. I installed the forwarder on my local machine (win 8.1) and can see in my firewall logs successful communication with my splunk server on 9997 and 8089 from my machine but still don't see any forwarders in Splunk. As for the command "splunk set deploy-poll : ", i'm not quite sure what to do with that. I opened a command window to that directory and entered that command but get a weird message.

C:\Program Files\SplunkUniversalForwarder\bin>splunk set deploy-poll :
Operation "ospath_fopen" failed in c:\splunk\build-src\6.2.2\src\libzero\conf-mu
tator-locking.c:311, conf_mutator_lock(); No error

I have been able setup remote event log capturing but would still like to figure out how to use the forwarder.

Thanks.

0 Karma

ogdin
Splunk Employee
Splunk Employee

Sorry, formatting. The correct command is above. So, for example, if your Splunk Light server IP address is 10.0.0.2,

splunk set deploy-poll 10.0.0.2:8089

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...