Getting Data In

How to test succesful Universal Forwarder installation?

mathdewulf
New Member

I've installed the universal forwarder on a windows client to forward the data to my central log collecter which is also a Windows installation.
However i'm seeing no events coming from that source.
Don't know where to start troubleshooting first.
Maybe firewall?
I've downloaded the deployment monitor tool also.

0 Karma

mathdewulf
New Member

the output of splunkd.log on uniforwarder :http://oi43.tinypic.com/2yy81tu.jpg

Which outputs.conf I have to modify on receiver?
Is it the one in \etc\apps\SplunkForwarder\default folder?

0 Karma

linu1988
Champion

Best way to troubleshoot is to see splunkd.log under splunk Uniforwarder->var->log folder.

And did you configure the receive port in your search head? and modified the outputs.conf for the destination server?

0 Karma

jtworzydlo
Path Finder

Could you paste maybe some extracts from config files (inputs/output.conf?) and tell more about your architecture? Is it only forwarder-indexer or do you have a deployment server installed, too?
My good way to test the installation is to configure passing forwarders own splunkd.log to the indexer - if I see the data than I know that the basic functionality works fine.
If you would like to troubleshoot you should also take a look at the splunkd.log in your var/log/splunk directory.

0 Karma

LiquidTension
Path Finder

You could try to telnet to your deployment server on the configured port. The error you posted to tinypic.com can be an indicator of a firewall blocking the connection.

0 Karma

jtworzydlo
Path Finder

I think you should be looking at the config files at etc/apps/SplunkUniversalForwarder/local folder. If you have an universal forwarder installed, thats where you should put your config. In the inputs.conf you tell the forwarder which files to monitor. In the outputs.conf you should configure where the data should be sent (your destination (indexer)). Also you should also enable receiving the data on the indexer side (add the [splunktcp://:9997] to the $SPLUNK_HOME/etc/system/local/input.conf). You should also create an index for the data.

0 Karma

mathdewulf
New Member

It is so far my first forwarder. I'm just getting started with splunk. I've installed the universal forwarder and installed it on the client to forward logs to my server.
I think my server isn't configured to receive logs from other sources? Port 8889 is not running. I've found several input/outputs.conf files so which one exact is relevant?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...