Re: Why are logs not being forwarded after install...

blebit · ‎11-10-2014

hi all,

after installing splunk universal forwarder on linux machine RHEL i have this message after ./splunk list forward-server :
Active forwards:
None
Configured but inactive forwards:
x.x.x.x:9997
but i checked firewall and it is ok.

Connection to x.x.x.x 9997 port [tcp/palace-6] succeeded!
But logs are not going on splunk server
universalforwarder version: splunkforwarder-6.1.4-233537-linux-2.6-x86_64.rpm

what might be the problem?
thanks

grijhwani · ‎11-10-2014

What version is your indexer/heavy forwarder doing the receiving?

blebit · ‎11-10-2014

splunk server: 6.1.2 on centOS

Raghav2384 · ‎11-10-2014

Did you enable Receiving on the Splunk Server, which is supposed to get the logs forwarded by UF?

blebit · ‎11-10-2014

yes, because i am receiving from other linux hosts

Raghav2384 · ‎11-10-2014

Interesting, Just did a UF install. Created some Monitor stanzas in inputs.conf and mentioned server in the outputs.conf. I see the server address after forwards: x.x.x.x. Is the splunkd running on the splunk server 🙂 (Please don't yell at me for asking this). Reason why i ask, i get forward : none after i intentionally stopped splunkd on Splunk server.

blebit · ‎11-10-2014

on client:

/opt/splunkforwarder/bin/splunk start
The splunk daemon (splunkd) is already running.

on server also is running, i have 230 hosts sending logs on splunk.
also in this case i am monitoring /var/log/
i think i followed all the instructions.

Why are logs not being forwarded after installing the universal forwarder on Linux machineRHEL?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases