Hi,
I set up a Windows XP box as a Universal Forwarder to my Splunk indexer (Linux) and whilst I see packets arriving (tcpdump on the linux box) I can't seem to find the actual data. The forwarder was configured to gather pretty much anything it could as a local admin account, and I've installed the Windows app on Linux (and removed the inputs.conf as per the documentation) but no data seems to show up.
metrics.log seems to show something happening:
04-10-2012 18:14:27.505 +1000 INFO StatusMgr - destPort=9999, eventType=connect_done, sourceHost=1.2.3.4, sourceIp=1.2.3.4, sourcePort=4142, statusee=TcpInputProcessor 04-10-2012 18:14:32.521 +1000 INFO StatusMgr - destPort=9999, eventType=connect_close, sourceHost=1.2.3.4, sourceIp=1.2.3.4, sourcePort=4142, statusee=TcpInputProcessor
But it's not clear where the data is actually going - the Windows app sees nothing.
I've cranked up the TCPInputProc to "debug" but nothing seems to have shown up there.
What am I missing?
D'OH. Fixed. The clue was in the "DeploymentClient" error above; problem was obvious at that point (was no way to get to the Windows logs when I posted the question before, now I'm in front of them, and...sigh). It's not a DS/DC setup, I reversed the hosts to talk to in the installation wizard. All good.
D'OH. Fixed. The clue was in the "DeploymentClient" error above; problem was obvious at that point (was no way to get to the Windows logs when I posted the question before, now I'm in front of them, and...sigh). It's not a DS/DC setup, I reversed the hosts to talk to in the installation wizard. All good.
Three things to check;
1) To which index are you sending the logs? Check your inputs.conf on the forwarder. Perhaps the Windows app searches a different index.
2) Permissions - do you have the right to search the index where events are stored a/o is it searched by default? Check Manager -> Account settings -> roles -> your_role. You'll find the settings for this near the bottom of the page.
3) Timestamps - are you searching the correct time a/o is the time setting correct on the forwarder. If timestamps are correct, you should check to see that they are parsed correctly. Look (in the Search app) under Status -> Server Activity -> Splunkd Activity overview. There should be a panel for timestamping errors at the bottom.
So to sum it up, perform the following search;
index=*
and set it for "All time". Let it run for a while.
Hope this helps,
Kristian
It looks like this is the problem I'm having:
http://splunk-base.splunk.com/answers/28797/deploymentclient-unable-to-send-handshake-message
The splunkd.log on the Windows box has that in it repeatedly. I've verified the roles, as well as the index, but, nope...hmmm