Deployment Architecture

light-forwarder question

a212830
Champion

Hi,

The local Splunk folks recommended we switch from a universal forwarder to a light-forwarder in our dev env. I installed the full splunk image, and enabled light-forwarding, but now I'm seeing "Connection to XX.XX.XXX.XX:8089 closed. Read error. Connection reset by peer" messages. I enabled light-fowarding, and added the forwarder destination. Is this port right? Not sure what I missed here...

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Port 8089 is used for intra-splunk communication (license info, deployment traffic, etc), not for sending and receiving logs. You should configure the forwarder to send its logs to a port that has been setup for receiving forwarded logs on the indexer - which port number it has depends on what port the indexer has been configured to use, but port 9997 is commonly used for this.

Some docs on the subject:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deploymentoverview
http://docs.splunk.com/Documentation/Splunk/4.3.2/Deploy/DeployaWindowsdfmanually

View solution in original post

Ayn
Legend

Port 8089 is used for intra-splunk communication (license info, deployment traffic, etc), not for sending and receiving logs. You should configure the forwarder to send its logs to a port that has been setup for receiving forwarded logs on the indexer - which port number it has depends on what port the indexer has been configured to use, but port 9997 is commonly used for this.

Some docs on the subject:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deploymentoverview
http://docs.splunk.com/Documentation/Splunk/4.3.2/Deploy/DeployaWindowsdfmanually

a212830
Champion

Duh. OK. Thanks!

0 Karma

Ayn
Legend

No, you only need one output per indexer from the forwarder, regardless of how many sources (files, ports, scripts, ...) the forwarder has.

0 Karma

a212830
Champion

Ah, gatcha. Wasn't sure if there was some sort of "funnel", where I read from different ports and sent them over a different one. So, if I read 3 different ports, I should have 3 corresponding outputs to the indexer?

0 Karma

a212830
Champion

I am seeing it in the splunkd.log on the agent server. I used port 8089 as the forwarder port - I don't see any doc that states what port to use.

0 Karma

Ayn
Legend

Where are you seeing this error? What port did you configure the forwarder to send its events to?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...