I've tried browsing around previous topics but couldn't find anything that worked for my particular situation. I have a very simple test setup with a Universal Forwarder, a Debian 9 machine running the free edition of Splunk Enterprise, and another non-Splunk box. My goal was to simulate log forwarding from the workstation running the Universal Forwarder to the Splunk box to my non-Splunk box. I was indexing things up to 3 hours ago while troubleshooting why logs weren't being forwarded to my non-Splunk server. Eventually, I was able to get this data forwarded successfully to my non-Splunk server but then I noticed it stopped indexing on the Splunk server. No errors.
My Splunk servers outputs.conf:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.X.1.99:514
sendCookedData = false
indexAndForward=true
[tcpout-server://10.X.1.99:514]
My Splunk servers inputs.conf; listening on 9997:
[default]
host = splunk
------------------------------------
My Universal Forwarders outputs.conf:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.X.1.181:9997
autoLB = true
My Universal Forwarders inputs.conf (SOC workstation):
[default]
host = SOC-6
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log/auth.log
/var/log/syslog
It's supposed to be a very basic setup. Like I said, I'm receiving logs on the non-Splunk box which was the main goal but I can't leave it partial with the Indexer not indexing. If you require further information feel free to request it. Thanks
↧