- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Windows Universalforwarder to Linux Receiver, wher...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I set up a Windows XP box as a Universal Forwarder to my Splunk indexer (Linux) and whilst I see packets arriving (tcpdump on the linux box) I can't seem to find the actual data. The forwarder was configured to gather pretty much anything it could as a local admin account, and I've installed the Windows app on Linux (and removed the inputs.conf as per the documentation) but no data seems to show up.
metrics.log seems to show something happening:
04-10-2012 18:14:27.505 +1000 INFO StatusMgr - destPort=9999, eventType=connect_done, sourceHost=1.2.3.4, sourceIp=1.2.3.4, sourcePort=4142, statusee=TcpInputProcessor 04-10-2012 18:14:32.521 +1000 INFO StatusMgr - destPort=9999, eventType=connect_close, sourceHost=1.2.3.4, sourceIp=1.2.3.4, sourcePort=4142, statusee=TcpInputProcessor
But it's not clear where the data is actually going - the Windows app sees nothing.
I've cranked up the TCPInputProc to "debug" but nothing seems to have shown up there.
What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
D'OH. Fixed. The clue was in the "DeploymentClient" error above; problem was obvious at that point (was no way to get to the Windows logs when I posted the question before, now I'm in front of them, and...sigh). It's not a DS/DC setup, I reversed the hosts to talk to in the installation wizard. All good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
D'OH. Fixed. The clue was in the "DeploymentClient" error above; problem was obvious at that point (was no way to get to the Windows logs when I posted the question before, now I'm in front of them, and...sigh). It's not a DS/DC setup, I reversed the hosts to talk to in the installation wizard. All good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Three things to check;
1) To which index are you sending the logs? Check your inputs.conf on the forwarder. Perhaps the Windows app searches a different index.
2) Permissions - do you have the right to search the index where events are stored a/o is it searched by default? Check Manager -> Account settings -> roles -> your_role. You'll find the settings for this near the bottom of the page.
3) Timestamps - are you searching the correct time a/o is the time setting correct on the forwarder. If timestamps are correct, you should check to see that they are parsed correctly. Look (in the Search app) under Status -> Server Activity -> Splunkd Activity overview. There should be a panel for timestamping errors at the bottom.
So to sum it up, perform the following search;
index=*
and set it for "All time". Let it run for a while.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like this is the problem I'm having:
http://splunk-base.splunk.com/answers/28797/deploymentclient-unable-to-send-handshake-message
The splunkd.log on the Windows box has that in it repeatedly. I've verified the roles, as well as the index, but, nope...hmmm
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
