Solved: Deployment monitor and intermediary forwarder

echalex · ‎08-20-2012

Hi,

We have set up a Splunk infrastructure where all forwarders send their data to intermediary forwarders (universal forwarders), which in turn forward the data to the indexers.

This is working out nicely, except for the Deployment monitor which does not present any information about the client forwarders, which use the intermediary forwarders. In other words, the indexers, search heads and intermediary forwarders are visible, as well as all the older forwarders who send their data directly to an indexer.

Is there any way of getting ALL the information through the intermediary forwarders?

echalex · ‎09-28-2012

Aha! Found the problem!

Events for _internal are not being forwarded by default. So I decided to test adding this to etc/system/local/outputs.conf on the intermediary forwarders:

[tcpout]
forwardedindex.3.whitelist = _internal

This solved the problem. No I see all forwarders.

View solution in original post

echalex · ‎09-28-2012

Aha! Found the problem!

Events for _internal are not being forwarded by default. So I decided to test adding this to etc/system/local/outputs.conf on the intermediary forwarders:

[tcpout]
forwardedindex.3.whitelist = _internal

This solved the problem. No I see all forwarders.

trutch · ‎02-10-2014

This just solved an issue with my Heavy Forwarder. The weird thing is that _internal is all ready whitelisted in system/default/outputs.conf

forwardedindex.2.whitelist = (_audit|_internal)

Thanks for following up and answering your own question!

Deployment monitor and intermediary forwarder

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases