forward-server listed as inactive

miceli · ‎06-28-2011

Hi guys,
i have been working on the creation of a deployment server with universal forwarders, and the outputs.conf contains:

[tcpout]
defaultGroup=cm
[tcpout:cm-processing]
server=cm:9997

This is making its way to the universal forwarder, but when I run ./splunk list forward-server it shows the connection as inactive. I have looked on the distribution server for clients, which returned this machine as a client. Also, I have checked the listener (cm) to see if it has forwarders attached which it doesnt. Any help would be greatly appreciated, Thanks!

gonghaokaka · ‎01-02-2018

*For me issue was related to the Windows Firewall at the indexer (Splunk enterprise) server blocked the forwarder server's connection *

The Error found in the forwarder server splunkd.log

ERROR TcpInputProc - Error encountered for connection from ... timeout

To fix it, simply allow the splunkd.exe (located at splunk_home\bin) to communicate through window firewall.

Tim,*For me issue was related to the Windows Firewall at the indexer (Splunk enterprise) server blocked the forwarder server's connection *

The Error found in the forwarder server splunkd.log

ERROR TcpInputProc - Error encountered for connection from ... timeout

To fix it, simply allow the splunkd.exe (located at splunk_home\bin) to communicate through window firewall.

Tim

jhl226116 · ‎03-20-2017

I'm having same issue here but unable to solve the problem.

ta_viewpointcs · ‎06-27-2013

Why am I seeing junk answers all over this forum from Splunk?

Why doesn't anyone put these questions to rest once and for all? I have looked at 5 different posts ALL with the same problem, and Splunk keeps saying "check your firewall."

tewner · ‎01-19-2012

I had the same error and my outputs.conf was configured correctly. This issue was caused by IPtables not allowing connections to the listener port.

Solved with a rule like:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 9997 -m comment --comment "splunk remote Listener" -j ACCEPT

kristian_kolb · ‎10-25-2011

Hi, this may not be applicable, but here it goes.

It seems that this may be a bogus error message, at least according to this page (some release notes for v4.2Beta):

Running splunk list forward-server
lists one of the servers under
"Configured but inactive forwards:",
but it is forwarding. (SPL-35461)

Is that the case, that you get the error message, but logs keep coming in? What version are you running? If anything but the latest, try upgrading.

/kristian

miteshvohra · ‎07-13-2013

I am getting this on version 5.0.3.

Jorge_L · ‎10-20-2011

Did you ever get an answer to this question? I'm seeing the same behavior.

Paolo_Prigione · ‎06-29-2011

The defaultGroup setting should specify the stanza name, "cm-processing", and not the server name, "cm". As the forward server setting is always tricky to set, I'd suggest you to log in onto a vanilla universal forwarder and run

splunk add forward-server cm:9997

then copy over the $SPLUNK_HOME/etc/system/local/outputs.conf settings generated by the command in your configuation distribution system. In any case, the final configuration of your outputs.conf should be (untested):

[tcpout]
defaultGroup=cm-processing

[tcpout:cm-processing]
server=cm:9997
[tcpout-server://cm:9997]

Cheers, Paolo

miceli · ‎06-29-2011

Thanks Paolo.

I unfortunately end up with the following output like before (it was a typo with the cm-processing and cm tags)

Active forwards:
        None
Configured but inactive forwards:
        cm:9997

I just need to know how to activate the forward-server, but the only commands according to http://www.splunk.com/base/Documentation/latest/Admin/CLIadmincommands are list, edit (which apparently isnt supported on the universal forwarder), add and remove.

forward-server listed as inactive

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor