|
I've been attempting to setup a Splunk deployment server. I have receiving enabled on port 28090, I can telnet from forwarder machine to the splunk machine on that port, however, the forwarder just keeps putting out these error messages: After reading some of the other similar questions here, I've attempted enabling and disabling SSL, which didn't help. If I turn off the listener on the deployment server, the following error occurs on the forwarder: So there definitely appears to be some communication happening. Also, when checking to see if deployment clients are connected: Running 'netstat | grep 28090' definitely shows the clients are connected. What step(s) am I missing here? |
|
You will not need to enable receiving specifically for the deployment server. That feature is to allow forwarders to send their data to the indexer. On the deployment server, you will need to have a serverclass.conf that defines classes and assigns apps to those classes. On the deployment client, you will need to have a deploymentclient.conf that contacts the deployment server on its splunkd port (8089 by default). The below configuration would allow the deployment client to pull the application testApp from the deployment server's $SPLUNK_HOME/etc/deployment-apps/testApp to its $SPLUNK_HOME/etc/apps/testApp serverclass.conf sample: deploymentclient.conf sample: The deployment server is the indexer (for now). Would this have any affect?
(24 May '11, 08:27)
cvweiss
A Splunk server may have several roles. You can host your deployment server on your indexer and the two won't interfere with each other. Your indexer can even be a client of its deployment server. "I'm not only the Hair Club president, I'm also a client"
(24 May '11, 08:30)
bwooden ♦
1
Even using the most basic configuration I'm still getting the same not_connected error. I'm at a loss here.
(24 May '11, 12:07)
cvweiss
|
|
Same here. I have the forwarder tested and working on two development servers using the most basic configuration possible (deployment server and receiving indexer are the same, skip certificate information, etc). I went through the exact same setup/configuration process on a production server. I'm not seeing that any logs are being shipped and I see the same "DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected" error repeatedly in splunkd.log. Any suggestions? I'm not even sure how to debug. did you restart you deployment server after enabling deployment services?
(30 Jun '11, 07:12)
ziegfried ♦
I have the same issue and error. Have restarted forwarder and listener. Any suggestions ?
(07 Jan '12, 12:18)
cyberbob
|
|
I had the same thing and realized I had managed to move the deploymentServer app out of the way (which holds my serverclass.conf). So make sure you have one of those under $SPLUNK/etc/apps somewhere. Also, make sure you've only got one splunk instance installed. |
|
"Also, make sure you've only got one splunk instance installed". Does that mean you can't have the Universal Forwarder installed on a Splunk indexer? That would be two instances....what if you are trying to send the Indexer's logs to other indexers, for redundancy? There's no need to install a separate UF on an indexer. While you could, it's probably not what you really want and will probably wind up confusing things. I was more concerned about the confusing part for this debugging exercise.
(23 Jan, 09:04)
christopher....
"what if you are trying to send the Indexer's logs to other indexers, for redundancy?" That's our need; we send our logs to more than one indexer. What other method do you suggest, especially when dealing with Windows Event logs.
(23 Jan, 09:09)
gsawyer1
|
