(Tue Oct 8 16:59:22 2019) is suspiciously far away from the previousĮvent's time (Wed Oct 9 23:48:21 2019), but still accepted because it On the Splunk server I see this in /opt/splunk/var/log/splunk/splunkd.log:ġ0-10-2019 00:21:09.930 +0000 WARN DateParserVerbose - Accepted time On the Splunk server, I see no evidence that a second instance (e.g., the Splunk forwarder) is working. In /var/log/ there is a non-binary file of text that I created. WARN FileClassifierManager - The file '/var/log/.test123.swp' is Here is an excerpt from /opt/splunkforwarder/var/log/splunk/splunkd.log:ġ0-10-2019 00:21:18.059 +0000 INFO WatchedFile - Will begin readingĪt offset=4835872 for file='/var/log/sampleoct.log'. I am trying to index /var/log/* on my Splunk forwarder server. In fact, the back end splunk log for the main splunk server has registered some activity of the Splunk forwarder. Therefore I am quite sure no firewall rule or security mechanism is to blame. I have used nmap to test over this port to and from both servers using internal and external IP addresses. Configuration for port 9997 already exists.Ĭonnectivity is configured over port 9997 between the two servers. By running splunk enable listen 9997 I getįailed to create. What should I do?Įdit: Through the web UI for Splunk I configured a listening port for the forwarding on port 9997. I would expect to see some forwarded data in Splunk (on the main Splunk server), but I am not seeing that. I check network connectivity, and nothing is blocking TCP/IP communication between the two. How can I see some evidence that the Splunk web UI is receiving data from the Splunk forwarder? If I go to Data Inputs in the web UI, I cannot click "Next." But the only option I see is the Splunk server. ![]() I log into the web UI, I go to Settings -> Monitoring Console -> Indexing -> Indexes and Performance. I tried rebooting both servers and restarting Splunk on both.įrom the Splunk dashboard I want to see some indication of the logs from the server with the forwarder. (where x.x.x.x is the IP address of the Splunk server) sudo /opt/splunk/bin/splunk start Sudo /opt/splunkforwarder/bin/splunk add forward-server x.x.x.x:9997 On the Splunk forwarder I ran these commands: sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/syslog -index main -sourcetype %app% I have installed Splunk forwarder version 7.3.2 on a second server. I have installed Splunk version 7.3.2 on one server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |