- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: log forwarding doesnt work, linux
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
log forwarding doesnt work, linux
Hi,
it would be great if somebody could help me. Since few hours I`m trying to configure log forwarder, but without result.
This is my scenario:
(1)ApplicationServer --> (2)SomeServer with Splunkforwarder --> (3)Splunk server
(1)hostname:appserver Application server(Tomcat) generating logs. On the same machine I have installed Splunkforwarder which forwarding(not working at the moment) logs to machine (2).
(2)hostname:logforwarder Someserver with Splunkforwarder - this machine needs to receive all logs from machine (1) and forward it to machine number (3)
(3)hostname:webpanel Splunk server - webpanel
Maybe somebody could paste here content of inputs.conf / outputs.conf for appserver , logforwarder. I would like to finaly establish connection between that machines.
Thanks in advance for Your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To accomplish this the second host in the chain needs to be a full version of splunk, not a Universal Forwarder. This is because the intermediary will be acting as an indexer to collect any data forwarded to it.
So on your application server, in it's Universal forwarder instance, you will want an outputs.conf with something like:
[tcpout]
server=logforwarder
Then, on the logforwarder machine, you will have a full splunk install, but it will also have a outputs.conf indicating where it should send it's data to:
[tcpout]
server=webpanel
logforwarder does not need an inputs.conf, as it's not monitoring any logs directly. It's simply accepting incoming data much like an indexer would. You would also want to have any other props.conf stanzas present that are relevant at index-time. (line breaking, timestamps, etc)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appserver cannot forward directly to webpanel because it is located in DMZ. I need to transfer logs using machine(some kind of gateway) which have an access to DMZ and LAN.
Appserver(DMZ) --- firewall = port 8089/9997 open --> logforwarder(DMZ) --- firewall between DMZ and LAN = port 8089/9997 open --> webpanel(LAN)
I would like to know how to configure inputs.conf and outputs.conf files on that first two machines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you be more specific in the roles each of these servers plays? Why isn't appserver forwarding directly to webpanel?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
