I am trying to forward *.log files from a windows server to a linux index server. I get the WMI data to index; I get the correct files listed from "splunk list monitor", but I don't get the log files indexing from the output of "splunk list monitor" in question.
I have confirmed the windows server can connect to the index server:
# netstat -an | grep 9000
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN
.
.
tcp 0 0 xx.xx.17.53:9000 xx.xx.16.83:36092 ESTABLISHED
And here is the output from the splunkd.log file:
10-01-2010 07:08:30.975 INFO TcpInputProc - Connection in cooked mode from xxx-xxx.com 10-01-2010 07:08:30.984 INFO TcpInputProc - Connection accepted from xxx-xxx.com 10-01-2010 07:08:45.257 WARN DateParserVerbose - Failed to parse timestamp for event. Context="source::WinEventLog:Application|host::xxxxxx|WinEventLog:Application|remoteport::33982" Text="quiresLogon/ 10-01-2010 07:08:45.257 WARN DateParserVerbose - Failed to parse timestamp for event. Context="source::WinEventLog:Application|host::xxx xxx|WinEventLog:Application|remoteport::33982" Text="com;blah.blah.com 10-01-2010 07:21:47.493 ERROR TcpInputProc - Error encountered for connection from host=xxx-xxx.com, ip=10.204.16.83. Timeout 10-01-2010 07:21:47.493 INFO TcpInputProc - Hostname=xxx-xxx.com closed connection 10-01-2010 08:01:40.402 INFO TcpInputProc - Connection in cooked mode from xxx-xxx.com 10-01-2010 08:01:40.413 INFO TcpInputProc - Connection accepted from xxx-xxx.com
Any idea why I get WMI and not *.log even though "splunk list monitor" shows I should?
Pstein
check if you have windows app enable on your linux indexer first.