|
I've got a new install of Splunk that refuses to receive logs from any of Windows servers. I have the Splunk Universal Forwarder installed on the machine I want to gather logs from. I left the port setting on the default. However the only logs the Splunk server seems to be receiving is local log files. I'm not sure what the problem is, I didn't have this problem when I setup Splunk before previously. Maybe I'm overlooking something obvious? I'm using the current release of Splunk as well as the current release of the forwarder. |
|
Use netstats to see which process is using your port 9997 TCP. udp, tcp and splunktcp are different protocols, you want splunktcp. To configure splunk to receive forwarded data, please go to manager > forwarding & receiving > receiving > add the port 9997. (and disable the inputs you may have created in inputs) |
|
here are some steps : - check $SPLUNK_HOME/var/log/splunk/splunkd.log on the forwarder to see if it complains about : network issue, or log collection. - maybe the internal logs are forwarded but not the windows events (check index=_internal | stats count by host ) - is the indexer receiving data from other forwarders ? |
|
The log file reports: No connection could be made because the target machine actively refused it. That is looking on port 9997 (the default). When I try to add that port to Splunk's TCP data inputs, I get a "Parameter name: TCP port 9997 is not available". That port is not setup as a UDP port either. This splunk host isn't recieving any data from any forwader. |
|
The log file reports: No connection could be made because the target machine actively refused it. That is looking on port 9997 (the default). When I try to add that port to Splunk's TCP data inputs, I get a "Parameter name: TCP port 9997 is not available". That port is not setup as a UDP port either. This splunk host isn't recieving any data from any forwader. |