I've been attempting to setup a Splunk deployment server. I have receiving enabled on port 28090, I can telnet from forwarder machine to the splunk machine on that port, however, the forwarder just keeps putting out these error messages:
After reading some of the other similar questions here, I've attempted enabling and disabling SSL, which didn't help. If I turn off the listener on the deployment server, the following error occurs on the forwarder:
So there definitely appears to be some communication happening. Also, when checking to see if deployment clients are connected:
Running 'netstat | grep 28090' definitely shows the clients are connected.
What step(s) am I missing here?
asked 24 May '11, 07:51
You will not need to enable receiving specifically for the deployment server. That feature is to allow forwarders to send their data to the indexer.
On the deployment server, you will need to have a serverclass.conf that defines classes and assigns apps to those classes.
On the deployment client, you will need to have a deploymentclient.conf that contacts the deployment server on its splunkd port (8089 by default).
The below configuration would allow the deployment client to pull the application testApp from the deployment server's $SPLUNK_HOME/etc/deployment-apps/testApp to its $SPLUNK_HOME/etc/apps/testApp
answered 24 May '11, 08:13
Same here. I have the forwarder tested and working on two development servers using the most basic configuration possible (deployment server and receiving indexer are the same, skip certificate information, etc). I went through the exact same setup/configuration process on a production server. I'm not seeing that any logs are being shipped and I see the same "DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected" error repeatedly in splunkd.log.
Any suggestions? I'm not even sure how to debug.
answered 30 Jun '11, 06:39
I had the same thing and realized I had managed to move the deploymentServer app out of the way (which holds my serverclass.conf). So make sure you have one of those under $SPLUNK/etc/apps somewhere.
Also, make sure you've only got one splunk instance installed.
answered 24 Apr '12, 12:54
"Also, make sure you've only got one splunk instance installed". Does that mean you can't have the Universal Forwarder installed on a Splunk indexer? That would be two instances....what if you are trying to send the Indexer's logs to other indexers, for redundancy?
answered 23 Jan, 08:52