I am using Splunk Enterprise (Amazon Market Place AMI)
I have added Forwarding receiving port 9997
Installed universal forwarder and adding the forwarder to server failed: xx.xx.xxx.xx is my serverIP
PRODUCTION [root@jenkins bin]$ ./splunk add forward-server xx.xx.xxx.xx:9997 -auth admin:abcdef@123
Login failed
But using console xx.xx.xxx.xx:8000 with the same password and same username, I am able to login.
Please Help.
If you installed the forwarder fresh, without any custom method which sets the authentication, the default credential would be admin:changeme on the Universal forwarder. The above command is run on the universal forwarder and the credentials passed is for the Universal forwarder instance.
Try like this
./splunk add forward-server xx.xx.xxx.xx:9997 -auth admin:changeme
Or setup admin credentials on universal forwarder to use the same credentials (admin: PasswordFromIndexer) either using CLI OR using user-seed.conf
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/User-seedconf
http://docs.splunk.com/Documentation/Splunk/6.2.6/Security/ConfigureuserswiththeCLI