Hello,
I'm new to splunk and I'm currently trying to set up a communications from a Universal Forwarder + Syslog NG server to a Splunk server.
CONFIG
On UForwarder side
Inputs
[default]
host = syslog01.abc.local
[monitor:////var/log/syslog-ng/logs/cisco/$HOST/$YEAR-$MONTH-$DAY-cisco.log]
sourcetype = syslog
index = cisco
disabled = false
host_segment = 6
Outputs
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = @.220:9997
[tcpout-server://@.220:9997]
On Splunk server side
[default]
host = frontlog.abc.local
[splunktcp://9997]
disabled=0
SHOWS
On Forwared side
[root@syslog01 local]# netstat -anp | grep 9997
tcp 0 1 @.219:48676 @.220:9997 SYN_SENT 2762/splunkd
07-08-2016 06:59:51.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out
07-08-2016 07:00:21.094 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out
07-08-2016 07:00:43.602 +0200 WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 3400 seconds.
07-08-2016 07:00:51.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out
07-08-2016 07:01:21.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed
On server/receiver side:
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 7969/splunkd
Nothing relevant on splunkd.log
I've been able to telnet the server on port 9997.
Thanks
Best regards
Franck
... View more