Hi guys!
i've this scenario:
hq-splunk-fwd-01 splunk-fwd-01 splunk01
syslogsrv + universal forwarder => syslogsrv + universal forwarder => indexer
hq- forwarder is installed on a centos in a different networkfrom the other parts of installation but it can reach splunk-fd-01 with routing. I've already some UF on other windows VM that communicate with splunk-fwd-01 without problem. i think that isn't a network problem but is a my fault on some configuration ... on hq-splunk-01 i've a syslogngsrv such as on splunk-fwd-01 ... i've set splunk-fwd-01 as forwarder in the outputs.conf of hq-splunk-fwd01 (port 9996) and a monitor stanza for /var/log/syslog/myfolder .... but i can't find anything on my splunk ... i've checked metrics.log with this query:
index = _internal | search "x.x.x.x" source="/opt/splunkforwarder/var/log/splunk/metrics.log"
where x.x.x.x is the IP of hq-splunk.fwd-01 ... see the attachment for output
I can see the connection but don't find the events ... in other word: where is my data!
Have you set your indexer with an inputs.conf and a stanza
[splunktcp:9996]?
Other forwarders works fine ... all of it using the stanza you've suggest
for mor correct info: index have 9997 on his inputs.conf stanza and splunk.fwd-01 9996 ... i'm using 9996 on splunk-fwd-01
That's the problem. Those forwarders are sending to a port that is not open in the indexer. So you need to add the stanza with th 9996 on the indexer inputs.conf too. Or repoint those forwarders outputs.conf to send to the port 9997
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that