Getting Data In

log forwarding doesnt work, linux

konradwawryn
Explorer

Hi,

it would be great if somebody could help me. Since few hours I`m trying to configure log forwarder, but without result.

This is my scenario:

(1)ApplicationServer --> (2)SomeServer with Splunkforwarder --> (3)Splunk server

(1)hostname:appserver Application server(Tomcat) generating logs. On the same machine I have installed Splunkforwarder which forwarding(not working at the moment) logs to machine (2).

(2)hostname:logforwarder Someserver with Splunkforwarder - this machine needs to receive all logs from machine (1) and forward it to machine number (3)

(3)hostname:webpanel Splunk server - webpanel

Maybe somebody could paste here content of inputs.conf / outputs.conf for appserver , logforwarder. I would like to finaly establish connection between that machines.

Thanks in advance for Your help.

0 Karma

emiller42
Motivator

To accomplish this the second host in the chain needs to be a full version of splunk, not a Universal Forwarder. This is because the intermediary will be acting as an indexer to collect any data forwarded to it.

So on your application server, in it's Universal forwarder instance, you will want an outputs.conf with something like:

[tcpout]
server=logforwarder

Then, on the logforwarder machine, you will have a full splunk install, but it will also have a outputs.conf indicating where it should send it's data to:

[tcpout]
server=webpanel

logforwarder does not need an inputs.conf, as it's not monitoring any logs directly. It's simply accepting incoming data much like an indexer would. You would also want to have any other props.conf stanzas present that are relevant at index-time. (line breaking, timestamps, etc)

0 Karma

konradwawryn
Explorer

Appserver cannot forward directly to webpanel because it is located in DMZ. I need to transfer logs using machine(some kind of gateway) which have an access to DMZ and LAN.

Appserver(DMZ) --- firewall = port 8089/9997 open --> logforwarder(DMZ) --- firewall between DMZ and LAN = port 8089/9997 open --> webpanel(LAN)

I would like to know how to configure inputs.conf and outputs.conf files on that first two machines.

0 Karma

emiller42
Motivator

Can you be more specific in the roles each of these servers plays? Why isn't appserver forwarding directly to webpanel?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...