Hi,
it would be great if somebody could help me. Since few hours I`m trying to configure log forwarder, but without result.
This is my scenario:
(1)ApplicationServer --> (2)SomeServer with Splunkforwarder --> (3)Splunk server
(1)hostname:appserver Application server(Tomcat) generating logs. On the same machine I have installed Splunkforwarder which forwarding(not working at the moment) logs to machine (2).
(2)hostname:logforwarder Someserver with Splunkforwarder - this machine needs to receive all logs from machine (1) and forward it to machine number (3)
(3)hostname:webpanel Splunk server - webpanel
Maybe somebody could paste here content of inputs.conf / outputs.conf for appserver , logforwarder. I would like to finaly establish connection between that machines.
Thanks in advance for Your help.
To accomplish this the second host in the chain needs to be a full version of splunk, not a Universal Forwarder. This is because the intermediary will be acting as an indexer to collect any data forwarded to it.
So on your application server, in it's Universal forwarder instance, you will want an outputs.conf with something like:
[tcpout]
server=logforwarder
Then, on the logforwarder machine, you will have a full splunk install, but it will also have a outputs.conf indicating where it should send it's data to:
[tcpout]
server=webpanel
logforwarder does not need an inputs.conf, as it's not monitoring any logs directly. It's simply accepting incoming data much like an indexer would. You would also want to have any other props.conf stanzas present that are relevant at index-time. (line breaking, timestamps, etc)
Appserver cannot forward directly to webpanel because it is located in DMZ. I need to transfer logs using machine(some kind of gateway) which have an access to DMZ and LAN.
Appserver(DMZ) --- firewall = port 8089/9997 open --> logforwarder(DMZ) --- firewall between DMZ and LAN = port 8089/9997 open --> webpanel(LAN)
I would like to know how to configure inputs.conf and outputs.conf files on that first two machines.
Can you be more specific in the roles each of these servers plays? Why isn't appserver forwarding directly to webpanel?