hi all,
after installing splunk universal forwarder on linux machine RHEL i have this message after ./splunk list forward-server :
Active forwards:
None
Configured but inactive forwards:
x.x.x.x:9997
but i checked firewall and it is ok.
Connection to x.x.x.x 9997 port [tcp/palace-6] succeeded!
But logs are not going on splunk server
universalforwarder version: splunkforwarder-6.1.4-233537-linux-2.6-x86_64.rpm
what might be the problem?
thanks
What version is your indexer/heavy forwarder doing the receiving?
splunk server: 6.1.2 on centOS
Did you enable Receiving on the Splunk Server, which is supposed to get the logs forwarded by UF?
yes, because i am receiving from other linux hosts
Interesting, Just did a UF install. Created some Monitor stanzas in inputs.conf and mentioned server in the outputs.conf. I see the server address after forwards: x.x.x.x. Is the splunkd running on the splunk server 🙂 (Please don't yell at me for asking this). Reason why i ask, i get forward : none after i intentionally stopped splunkd on Splunk server.
on client:
/opt/splunkforwarder/bin/splunk start
The splunk daemon (splunkd) is already running.
on server also is running, i have 230 hosts sending logs on splunk.
also in this case i am monitoring /var/log/
i think i followed all the instructions.