My setup is a single forwarder sending logs to a Splunk server. Both machines are running Windows 2008. After editing configuration files, I managed to get my forwarder's log to say:
11-21-2011 12:30:17.921 +0200 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: rejected
Obviously, in my "main" Splunk server, I only see one PC in sources. My question is, how do I setup my Splunk to accept and parse the logs sent by the universal forwarder? I have no problem using both a text editor to edit files manually or the web interface.
Thank you
... View more