Getting Data In

forward-server listed as inactive

miceli
New Member

Hi guys,
i have been working on the creation of a deployment server with universal forwarders, and the outputs.conf contains:

[tcpout]
defaultGroup=cm
[tcpout:cm-processing]
server=cm:9997

This is making its way to the universal forwarder, but when I run ./splunk list forward-server it shows the connection as inactive. I have looked on the distribution server for clients, which returned this machine as a client. Also, I have checked the listener (cm) to see if it has forwarders attached which it doesnt. Any help would be greatly appreciated, Thanks!

0 Karma

gonghaokaka
New Member

*For me issue was related to the Windows Firewall at the indexer (Splunk enterprise) server blocked the forwarder server's connection *

The Error found in the forwarder server splunkd.log

ERROR TcpInputProc - Error encountered for connection from ... timeout

To fix it, simply allow the splunkd.exe (located at splunk_home\bin) to communicate through window firewall.

Tim,*For me issue was related to the Windows Firewall at the indexer (Splunk enterprise) server blocked the forwarder server's connection *

The Error found in the forwarder server splunkd.log

ERROR TcpInputProc - Error encountered for connection from ... timeout

To fix it, simply allow the splunkd.exe (located at splunk_home\bin) to communicate through window firewall.

Tim

0 Karma

jhl226116
Explorer

I'm having same issue here but unable to solve the problem.

0 Karma

ta_viewpointcs
Engager

Why am I seeing junk answers all over this forum from Splunk?

Why doesn't anyone put these questions to rest once and for all? I have looked at 5 different posts ALL with the same problem, and Splunk keeps saying "check your firewall."

tewner
Explorer

I had the same error and my outputs.conf was configured correctly. This issue was caused by IPtables not allowing connections to the listener port.

Solved with a rule like:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 9997 -m comment --comment "splunk remote Listener" -j ACCEPT

kristian_kolb
Ultra Champion

Hi, this may not be applicable, but here it goes.

It seems that this may be a bogus error message, at least according to this page (some release notes for v4.2Beta):

Running splunk list forward-server
lists one of the servers under
"Configured but inactive forwards:",
but it is forwarding. (SPL-35461)

Is that the case, that you get the error message, but logs keep coming in? What version are you running? If anything but the latest, try upgrading.

/kristian

0 Karma

miteshvohra
Contributor

I am getting this on version 5.0.3.

0 Karma

Jorge_L
New Member

Did you ever get an answer to this question? I'm seeing the same behavior.

0 Karma

Paolo_Prigione
Builder

The defaultGroup setting should specify the stanza name, "cm-processing", and not the server name, "cm". As the forward server setting is always tricky to set, I'd suggest you to log in onto a vanilla universal forwarder and run

splunk add forward-server cm:9997

then copy over the $SPLUNK_HOME/etc/system/local/outputs.conf settings generated by the command in your configuation distribution system. In any case, the final configuration of your outputs.conf should be (untested):

[tcpout]
defaultGroup=cm-processing

[tcpout:cm-processing]
server=cm:9997
[tcpout-server://cm:9997]

Cheers, Paolo

miceli
New Member

Thanks Paolo.

I unfortunately end up with the following output like before (it was a typo with the cm-processing and cm tags)

Active forwards:
        None
Configured but inactive forwards:
        cm:9997

I just need to know how to activate the forward-server, but the only commands according to http://www.splunk.com/base/Documentation/latest/Admin/CLIadmincommands are list, edit (which apparently isnt supported on the universal forwarder), add and remove.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...