Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error messages when I try to connect the universal forwarder

dougsummersett
New Member
‎09-28-2017 04:14 PM

Hi, I'm brand new to Splunk and been given an existing Splunk environment to manage. I need to get a universal forwarder installed on a couple servers. This environment already has several universal forwarders in place. I installed the forwarders and selected Windows Application, Security and System logs. The deployment is setup to listen on port 9997.

In the splunkd log on the forwarder server, I see these lines repeated and not sure what they mean. I'd appreciate any help and keep in mind, I'm still very new to this. Thanks!

09-28-2017 18:45:47.694 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
09-28-2017 18:45:59.695 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
09-28-2017 18:46:02.913 -0400 WARN HttpPubSubConnection - HTTP client error in http pubsub Connection closed by peer uri=https://team-splunk01:9997/services/broker/connect/A917C286-95F0-4285-9F0C-8FDE5F9C5596/TEAM-SV-FILE...
09-28-2017 18:46:02.913 -0400 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2017 11:47 PM

Hi dougsummersett,
the first messages means that the new UFs cannot connect to the Deployment Server.
You can test this using telnet on the management port (usually 8089).
Did you configured Deployment Server?
If not, message isn't important.
If yes and connection is OK, check if your UF is seen by the Deployment Server.

When you say: "The deployment is setup to listen on port 9997." are you speaking of Indexer?

To debug connection with Indexers, at first test connection using telnet on 9997 port telnet team-splunk01 9997.
After configure outputs.conf on the forwarders to send logs to Indexers (I usually use Deployment Server, but it's possible to do this also manually.
When outputs.conf is Ok to send logs to indexers (and Splunk restart) check if Indexers are receiving internal logs (index=_internal host=Universal_Forwarder_hostname).

If it's OK I suggest to use Splunk_TA_Windows (eventually distributed by Deployment Server) to take Windows logs.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...