Deployment Architecture

Data not forwarding to cluster/master

rewritex
Contributor

The logging isn't making it to my cluster. I'm trying to capture port traffic in one of my UF (universal forwarders) and sending it to my cluster. I have a few [monitor:/xxxx] setup in the same inputs.conf and they are working. Is there something different I need to do to get this port data_input to work?

Port: 10674
Trafic is coming to my server: TCPdump -n tcp dst port 10674 (works)

I've configured my universal forwarder local/inputs.conf

[tcp://:10674]
_TCP_ROUTING = PST_01
#connection_host = none
index = Pacific_Coast_01
sourcetype = Pacific_Coast

I have indexDiscovery setup on my master.
Traffic isn't making into my peer cluster.

Any advice would be great. Thank You.

0 Karma
1 Solution

lguinn2
Legend

What is in outputs.conf on your forwarder? What is in splunkforwarder/var/log/splunkd.log that might be related to this problem? If your forwarder is successfully retrieving a list of servers from the cluster master, you should be able to see it there - or an error message if not.

How are your indexers configured to receive the input?

Another thing to check is that you have the right password for the cluster. Of course, you won't be able to see it, because it is encrypted. But if you aren't sure (or if the log indicates that the forwarder can't talk to the cluster master), then you might want to re-enter it into the pass4SymmKey in outputs.conf on the forwarder. Restart the forwarder to encrypt the password and make the forwarder try again to connect.

On your forwarder's inputs.conf, you have

connection_host = none

But then you didn't set

host=xyz

which you need to do if you aren't using the connection host. I suppose you can let it default to the forwarder's host name, but that doesn't seem to be where the data originated...

Hopefully, you have followed the directions for Use indexer discovery...

View solution in original post

0 Karma

lguinn2
Legend

What is in outputs.conf on your forwarder? What is in splunkforwarder/var/log/splunkd.log that might be related to this problem? If your forwarder is successfully retrieving a list of servers from the cluster master, you should be able to see it there - or an error message if not.

How are your indexers configured to receive the input?

Another thing to check is that you have the right password for the cluster. Of course, you won't be able to see it, because it is encrypted. But if you aren't sure (or if the log indicates that the forwarder can't talk to the cluster master), then you might want to re-enter it into the pass4SymmKey in outputs.conf on the forwarder. Restart the forwarder to encrypt the password and make the forwarder try again to connect.

On your forwarder's inputs.conf, you have

connection_host = none

But then you didn't set

host=xyz

which you need to do if you aren't using the connection host. I suppose you can let it default to the forwarder's host name, but that doesn't seem to be where the data originated...

Hopefully, you have followed the directions for Use indexer discovery...

0 Karma

MuS
SplunkTrust
SplunkTrust

Can you post the outputs.conf as well?

0 Karma

rewritex
Contributor

Outputs from my forwarder:

[indexer_discovery:master1]
pass4SymmKey = <xxxxx>
master_uri = https://<IP>:8089

[tcpout:PST_01]
autoLBFrequency = 30
forceTimebasedAutoLB = true
indexerDiscovery = master1
useACK = true

[tcpout]
defaultGroup = PST_01

recap:
- My inputs.conf includes [monitor:/xxxx] entries which are working and populating my cluster.
- Pass4SymmKey is working.
- I am now trying to setup [TCP://xxx] entries. I have data being piped from an appliance to my forwarder over port 10674. I've tried [TCP://:10599] and currently trying [TCP://:10599] modifications within the inputs.conf

Thank You

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...