Hi guys,
i have been working on the creation of a deployment server with universal forwarders, and the outputs.conf contains:
[tcpout]
defaultGroup=cm
[tcpout:cm-processing]
server=cm:9997
This is making its way to the universal forwarder, but when I run ./splunk list forward-server it shows the connection as inactive. I have looked on the distribution server for clients, which returned this machine as a client. Also, I have checked the listener (cm) to see if it has forwarders attached which it doesnt. Any help would be greatly appreciated, Thanks!
*For me issue was related to the Windows Firewall at the indexer (Splunk enterprise) server blocked the forwarder server's connection *
The Error found in the forwarder server splunkd.log
ERROR TcpInputProc - Error encountered for connection from ... timeout
To fix it, simply allow the splunkd.exe (located at splunk_home\bin) to communicate through window firewall.
Tim,*For me issue was related to the Windows Firewall at the indexer (Splunk enterprise) server blocked the forwarder server's connection *
The Error found in the forwarder server splunkd.log
ERROR TcpInputProc - Error encountered for connection from ... timeout
To fix it, simply allow the splunkd.exe (located at splunk_home\bin) to communicate through window firewall.
Tim
I'm having same issue here but unable to solve the problem.
Why am I seeing junk answers all over this forum from Splunk?
Why doesn't anyone put these questions to rest once and for all? I have looked at 5 different posts ALL with the same problem, and Splunk keeps saying "check your firewall."
I had the same error and my outputs.conf was configured correctly. This issue was caused by IPtables not allowing connections to the listener port.
Solved with a rule like:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9997 -m comment --comment "splunk remote Listener" -j ACCEPT
Hi, this may not be applicable, but here it goes.
It seems that this may be a bogus error message, at least according to this page (some release notes for v4.2Beta):
Running splunk list forward-server
lists one of the servers under
"Configured but inactive forwards:",
but it is forwarding. (SPL-35461)
Is that the case, that you get the error message, but logs keep coming in? What version are you running? If anything but the latest, try upgrading.
/kristian
I am getting this on version 5.0.3.
Did you ever get an answer to this question? I'm seeing the same behavior.
The defaultGroup setting should specify the stanza name, "cm-processing", and not the server name, "cm". As the forward server setting is always tricky to set, I'd suggest you to log in onto a vanilla universal forwarder and run
splunk add forward-server cm:9997
then copy over the $SPLUNK_HOME/etc/system/local/outputs.conf settings generated by the command in your configuation distribution system. In any case, the final configuration of your outputs.conf should be (untested):
[tcpout]
defaultGroup=cm-processing
[tcpout:cm-processing]
server=cm:9997
[tcpout-server://cm:9997]
Cheers, Paolo
Thanks Paolo.
I unfortunately end up with the following output like before (it was a typo with the cm-processing and cm tags)
Active forwards:
None
Configured but inactive forwards:
cm:9997
I just need to know how to activate the forward-server, but the only commands according to http://www.splunk.com/base/Documentation/latest/Admin/CLIadmincommands are list, edit (which apparently isnt supported on the universal forwarder), add and remove.