Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting up Forwarder and Testing

bherbert
Engager
‎01-24-2012 10:49 AM

So, I've installed and configured the Splunk forward on my Intranet Server. I'm trying to get the IIS logs from \Windows\Syste32\LogFiles\W3SVC folder. I think that I've configured it properly and have set up the receiving in Manager. Is there anything else on the reciever that I need to set up? I'm not getting any files. How can I test to see if the Intranet Server is even sending the Data?

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-25-2012 01:42 AM

Well, you could check the following things;

Is there even a network connection between the two machines?
open up a CMD prompt and type netstat -an | find "ESTABLISHED"
If there is no connection between the machines you may have a firewall issue

Check the splunkd.log for errors (located in /opt/splunk/var/log/splunk on *nix, and in c:\program files\splunk[universalforwarder]\var\log\splunk on win* - unless you've changed install locations).

Check to see if you have configured monitoring correctly. On the forwarding end, type splunk list monitor at the command line. Ensure that you have gotten your (back)slashes in correctly in your monitor stanzas.

If neither of these things will help you to get this going, please supply the outputs.conf from the forwarder, and the inputs.conf from both machines. Depending on how you configured Splunk, these are most likely located in /splunk/etc/apps/search, splunk/etc/apps/launcher or /splunk/etc/system/local. You should have more than on instance of each file on both machines.

Hope this helps,

Kristian

Reply

kristian_kolb
Ultra Champion
‎01-26-2012 08:12 AM

Well, I'm not too familiar with configuring . As for ports, the splunk indexer (receiver) is using the same port all the time, unless you have made an advanced configuration. Most people tend to use port 9997 for log transport. If your indexer is also a Deployment Server, you want to allow traffic from your forwarder to port 8089 (default) on the server.

0 Karma
Reply

bherbert
Engager
‎01-25-2012 09:59 AM

01-25-2012 12:24:56.633 -0500 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
01-25-2012 12:25:04.821 -0500 WARN TcpOutputProc - Cooked connection to ip=10.0.50.87:9997 timed out

Looking at the Event Viewer on the Reciever it appears the local firewall is blocking the packets from the forwarder. I assume I'll need to add an exception to the firewall but, what exactly do I need to add? Doesn't appear its using the same port everytime. Suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...