Lightweight Forwarder problem

Question

Hi

I have setup Indexer and trying to configure Lightweight forwarder. My input.conf on indexer looks like this: -

[default]
host = abc

[tcp://:9997]
connection_host = dns

[splunktcp://:9997]
enableS2SHeartbeat = true
s2sHeartbeatTimeout = 60

and output.conf on lighweight forwarder looks like this: -

[tcpout]
disabled = false
indexAndForward = 0
defaultGroup=my_indexers

[tcpout:my_indexers]
server=abc:9997

[tcpout-server://abc:9997]

When I run a wireshark I can see data packets going between the two hosts, but when I look into *NIX or search app, I do not see my lightweight forwader server in it. Any clue what I am missing.

Thanks

Answer 1

0

Start by removing your [tcp://:9997] stanza, you shouldn't have both a splunktcp and tcp listener on the same port like this.

link

answered 07 Feb '11, 19:37

Lowell ♦
11.2k●9●12●91
accept rate: 41%

even after that it dosent work.any other clues? I can see in in logs 02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx 02-07-2011 15:15:51.054 INFO TcpInputProc - Connection in cooked mode from xxx.xxx.xxx.xxx 02-07-2011 15:15:51.131 INFO TcpInputProc - Valid signature found 02-07-2011 15:15:51.131 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx 02-07-2011 15:15:51.165 INFO TcpInputProc - Valid signature found 02-07-2011 15:15:51.165 INFO TcpInputProc - Connection accepted from xxx.xxx.xxx.xxx

but i still dont see that host in UI.

(07 Feb '11, 22:58) nitinthakur

Answer 2

0

Is your forwarder configured to read any data/inputs?

link

answered 08 Feb '11, 03:12

gkanapathy ♦
32.6k●4●8●27
accept rate: 41%

there is nothing in inputs.conf on forwarder. There is unix app installed on it. As per my understanding everything should be going from forwarder to os index on receiver. But for some reasons on indexer I do not see any mention of the forwarder server in any of the indexes.

(08 Feb '11, 17:26) nitinthakur

In search app i did index=_internal and the search result showed me the forwarded host there. So Forwarding is working. So your question makes sense am I monitoring anything? No, in that case. I am not interested in monitoring any files at this point. I want to see my host appear under *NIX application on the indexer. Is there any specific configuration needed to be done to achieve that?

(08 Feb '11, 18:13) nitinthakur

Sounds to me like the Unix inputs aren't enabled on the forwarder, so no data is being read or collected, so nothing will show up for that machine in the app?

(08 Feb '11, 18:58) gkanapathy ♦

Okay then million dollar question, how do I enable *nix app. I set disabled = false for everything in /opt/splunk/etc/apps/unix/default/inputs.conf and restarted splud but to no avail....

(08 Feb '11, 19:02) nitinthakur

Well, you generally shouldn't modify items in default/ because they get overwritten on upgrade. You should instead override the setting in local/. But the Unix app is disabled overall by default, so you would need to enable it by creating a local/app.conf with the "state = enabled" setting. (See default/app.conf)

(08 Feb '11, 20:04) gkanapathy ♦

Lightweight Forwarder problem

Follow this question

Splunk Resources

Related questions