I've been trying to set up a universal forwarder to send to Splunk, and it doesn't appear to want to connect. Here's my current outputs.conf:
[tcpout]
defaultGroup = 172.31.**.**_9997
[tcpout:172.31.**.**_9997]
server = 172.31.**.**:9997
[tcpout-server://172.31.**.**:9997]
compressed = false
indexAndForward = false
sslCertPath = /opt/splunkforwarder/etc/auth/server.pem
sslPassword = $1$Ljp9kArNr5Od
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem
sslVerifyServerCert = false
And this is what I get when I list forward-server:
Active forwards:
None
Configured but inactive forwards:
172.31.**.**:9997 (ssl)
My receiver is set up, receives data from other forwarders per our security guy. Any suggestions? We found a firewall issue yesterday, so that got removed. Now our firewall is showing the packets going out. Not sure if I just need to restart our Splunk server, or what. Security guy doesn't want to do that though as we currently have other forwarders sending info to it.
... View more