I installed my universal forwarder on an Ubuntu server. I have successfully established a connection to my Splunk Enterprise server (netstat). And as I continue pinging my Splunk server from my universal Forwarder, I still get nothing.
Source: https://www.youtube.com/watch?v=ioGKxQTdp9k
How can I successfully use my universal forwarder?
Is listening enabled on the indexer?
demo@Indexer bin]$ ./splunk display listen
Receiving is enabled on port 9997.
Is the deployment client (forwarder) configured?
demo@Forwarder bin]$ ./splunk show deploy-poll
Deployment Server URI is set to "10.0.0.201:8089"
Is forwarding setup on the forwarder?
demo@Forwarder bin]$ ./splunk list forward-server
Active forwards:
10.0.0.200:9997
Configured but inactive forwards:
None
What is the forwarder's splunk hostname?
demo@Forwarder bin]$ ./splunk show servername
Server name: engdev00
demo@Forwarder bin]$ ./splunk show default-hostname
Default hostname for data inputs: engdev00.
Are events coming into the _internal
index on the forwarder?
index=_internal host=engdev00
If they are, then, you are are ready to start defining some inputs.
I was 99% sure you were going to rickroll Splunk Answers
First, it was really nice that you uploaded the video. Most of the time we don't know exactly what's going on but that is really helpful.
Second, I can see the data is coming from TA-Linux apps, but can you check if the data is going to right index? You enabled the same inputs in your indexer and can see that in Splunk App for Unix, but check the index that Indexer is storing the data and what UF is sending data to.
Is listening enabled on the indexer?
demo@Indexer bin]$ ./splunk display listen
Receiving is enabled on port 9997.
Is the deployment client (forwarder) configured?
demo@Forwarder bin]$ ./splunk show deploy-poll
Deployment Server URI is set to "10.0.0.201:8089"
Is forwarding setup on the forwarder?
demo@Forwarder bin]$ ./splunk list forward-server
Active forwards:
10.0.0.200:9997
Configured but inactive forwards:
None
What is the forwarder's splunk hostname?
demo@Forwarder bin]$ ./splunk show servername
Server name: engdev00
demo@Forwarder bin]$ ./splunk show default-hostname
Default hostname for data inputs: engdev00.
Are events coming into the _internal
index on the forwarder?
index=_internal host=engdev00
If they are, then, you are are ready to start defining some inputs.
Hi everybody. I know the post ist two years old, but I am having similar problems. For me all the steps above are correctly working and I am seeing events from my forwarder in the _internal index. But somehow the forwarder does not show up in "Forwarder management"? Any suggestions?
Everything is Green. Though I did not configure my inputs.conf. I configured my outs.conf instead which is at the file location /opt/splunkforwarder/etc/system/local/inputs.conf.
default
host = bss
[monitor:///var/log/snort/snort.log.*]
sourcetype=snort
index=snort_alert
disabled=false
Would this be the correct way to set up my inputs.conf?
Yep the file syntax here should be in your inputs.conf file on the fowarder, /opt/splunkforwarder/etc/system/local/inputs.conf.