I have set up a universal forwarder to read logs from kiwi syslog server.
Universal Forwarder is set to forward logs to the Indexer via Heavy Forwarder.
I have also set up the Heavy Forwarder as deployment server.
I have deployed the following inputs.conf to the U.F by deploying an app from the deployment server.
[monitor://C:\Program Files (x86)\Syslogd\Logs\x.x.x.x\log*.txt]
index = main
sourcetype = syslog
disabled = false
With all the above settings, I still cant see any logs on the Indexer.
I have confirmed following things already,
1. U.F has the right privilege to read logs from syslog's log folder.
2. network connection established between Syslog Server and H.F on H.F's port 9997 and 8089.
3. receiving port 9997 on Indexer enabled.
splunk btool inputs list monitor command also does not work on the U.F
Please help me troubleshoot this.
Thank you.
↧