Hi
I am new to Splunk and we have to complete POC . We have two server : Server A ( Index Server where Splunk Enterprise is installed ) and Server B where we have installed Forwarder and configure it to monitor one file system
Server B :
Server B $> splunk list forward-server
Splunk username: admin
Password:
Active forwards:
ServerA:9997
Configured but inactive forwards:
None
Server A :
Server A > lsof -i TCP:9997
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
splunkd 20810 svc_splunk_dev 48u IPv4 18875290 0t0 TCP *:palace-6 (LISTEN)
splunkd 20810 svc_splunk_dev 79u IPv4 18884788 0t0 TCP ServerA:palace-6->ServerB:53122 (ESTABLISHED)
ServerA # plunk list forward-server
Splunk username: admin
Password:
Active forwards:
None
Configured but inactive forwards:
None
Please advise
Has your forwarder ever sent data to Splunk? If not, have you enabled your Splunk Enterprise server to listen on port 9997?
You could also look under /opt/splunk/var/log/splunk/splunkd.log
for errors
Hi
No and there are no errors in splunkd.log file . Also Splunk Enterprise server to listen on port 9997 is configured
Thanks
vivek
Do you have an outputs.conf
defined on your forwarder which is pointing to your Splunk enterprise instance? If so, have you tested the connection between the two servers to verify there is not a firewall blocking them?
Hi,
yes . We have output.conf file on forwarder server
ServerB #cat outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = ServerA:9997
[tcpout-server://ServerA:9997]
Did you restart splunkd after making changes to the conf files? Have you verified via telnet that your forwarder can connect to your Splunk instance? What is the location of your outputs.conf?
Hi vivekg72,
what is your question?
To send logs from a forwarder to an indexer see at https://docs.splunk.com/Documentation/Splunk/6.6.3/Data/WhatSplunkcanmonitor
Bye.
Giuseppe