Hi,
I'm trying to set up a universal forwarder on a VM network. I've set up the inputs and outputs configuration files on the forwarder:
In inputs.conf:
[monitor:///var/log/syslog]
sourcetype = syslog
disabled = 0
index=ubuntu
In outputs.conf
[tcpot-server://ip_address_of_receiver:9997]
[tcpout]
defaultGroup = default-autolb-group
tcpout:default-autolb-group]
server = steven-VirtualBox:9997
[tcpout-server://steven-VirtualBox:9997]
I've also tried to set up receiving on the VM with the main Splunk instance, first from Splunk web, and then from the CLI:
In inputs.conf:
[default]
host = steven-VirtualBox
[splunktcp://9997]
disabled = 0
However, when I try to add data in splunk web with the forwarder, I get the error "There are currently no forwarders configured as deployment clients to this instance." Further, when I use "./splunk list forward-server" on the forwarder, I get the following output:
Active forwards:
None
Configured but inactive forwards:
ip_address of receiver:9997
steven-VirtualBox:9997
Does anyone have any insight on how to bring this forwarder up? I'm at a loss.
↧