Hi.
I have two linux boxes - one is full splunk with web interface.
Second one is a test one, which is supposed to sent all performance, logs etc to main splunk server.
I tried Universal forwarder and SplunkLightForwarder.
I can't see any data in my main splunk server - checked for tcp listening on 6996 port.
Here is configuration from Universal and light forwarder:
for uniwersal: /opt/splunkforwarder/etc/system/local/outputs.conf
for Light : /opt/splunk/etc/apps/SplunkLightForwarder/local/outputs.conf
[tcpout]
defaultGroup=my_indexers
heartbeatFrequency=15
indexAndForward=true
[tcpout:my_indexers]
server=10.251.1.132:6996
[syslog]
defaultGroup = my_indexers
[syslog:my_indexers]
server=10.251.1.132:6996
priority=37
Is this configuration enough for example to pass root access logs ?
Do I have to run splunk client as root ?
If configuration is fine, how I can force main splunk to get and show messages and alerts ??
Thanks in advance.
... View more