Hello,
I have a brand new install of a splunk indexer and several clients running forwarders. To install the clients I used the following command:
msiexec.exe /i \\dc1.butcher.local\Splunkd\splunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domain\splunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOGAPPCHECK=0 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 /quiet
The installer completes with no errors and I can see splunk running in services.
The account I'm using (Domain\splunk-svc)has all the required permissions to run splunk.
I have installed splunk on the server I would like to use as my indexer/search head. (splunk.domain.local)
I have configured splunk.domain.local to receive on port 9997. There is no firewall blocking this port and I can telnet to port 9997 from any of the clients.
When I go to Search there are simply no events to display and it does not see any hosts. I am able to add data by logging into the web page and adding remote data sources, but I know this should not be required and it's not the way I want to roll out splunk to my domain.
Here are excerpts of my splunkd log on the client machines:
05-06-2011 10:39:15.559 -0400 WARN IndexProcessor - received event for unconfigured/disabled index='_audit' with source='source::audittrail' host='host::EXCH1' sourcetype='sourcetype::audittrail' (1 missing total)
05-06-2011 10:39:15.559 -0400 WARN pipeline - Empty pipeline (no processors): scheduler, exiting pipeline
05-06-2011 10:39:15.559 -0400 INFO loader - Server supporting SSL v2/v3
05-06-2011 10:39:15.559 -0400 INFO loader - Using cipher suite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
05-06-2011 10:39:15.574 -0400 INFO TPool - initializing BatchReaderTPool with 1 workers
05-06-2011 10:39:15.731 -0400 INFO TailingProcessor - TailWatcher initializing...
05-06-2011 10:39:15.731 -0400 INFO TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME\var\spool\splunk.
05-06-2011 10:39:15.746 -0400 INFO TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME\var\spool\splunk\...stash_new.
05-06-2011 10:39:15.746 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME\etc\splunk.version.
05-06-2011 10:39:15.746 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\splunk.
05-06-2011 10:39:15.746 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\splunk\metrics.log.
05-06-2011 10:39:15.746 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log.
05-06-2011 10:39:15.746 -0400 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).
05-06-2011 10:39:15.902 -0400 INFO WatchedFile - Will begin reading at offset=1762894 for file='C:\Program Files\Splunk\var\log\splunk\metrics.log'.
05-06-2011 10:39:15.996 -0400 INFO WatchedFile - Will begin reading at offset=24996713 for file='C:\Program Files\Splunk\var\log\splunk\metrics.log.1'.
05-06-2011 10:39:16.621 -0400 INFO WatchedFile - Will begin reading at offset=635848 for file='C:\Program Files\Splunk\var\log\splunk\splunkd.bak'.
05-06-2011 10:39:16.762 -0400 INFO TcpOutputProc - Connected to idx=192.168.1.117:9997
On the server side the metrics log says:
05-06-2011 10:44:36.010 -0400 INFO StatusMgr - destPort=9997, eventType=connect_done, sourceHost=192.168.1.111, sourceIp=192.168.1.111, sourcePort=2428, statusee=TcpInputProcessor
05-06-2011 10:44:36.010 -0400 INFO StatusMgr - sourcePort=9997, ssl=false, statusee=TcpInputProcessor
05-06-2011 10:44:41.728 -0400 INFO StatusMgr - destPort=9997, eventType=connect_close, sourceHost=192.168.1.111, sourceIp=192.168.1.111, sourcePort=2428, statusee=TcpInputProcessor
05-06-2011 10:44:45.603 -0400 INFO StatusMgr - destPort=9997, eventType=connect_done, sourceHost=192.168.1.136, sourceIp=192.168.1.136, sourcePort=10659, statusee=TcpInputProcessor
05-06-2011 10:44:45.603 -0400 INFO StatusMgr - sourcePort=9997, ssl=false, statusee=TcpInputProcessor92
I can see from this log that my client machine (192.168.1.136) has clearly connected, and yet I can't see any events!
Can anyone tell me what step I've missed????
`
92
... View more