Forums: SplunkAdministration: Forwarding and lack of events...

I am just beginning with splunk, so please be patient.

So I have two windows boxes, a dedicated splunk box (with enterprise license) and another windows box as a domain controller.

I've loaded the free version of splunk on the domain controller. Everything looks fine, it indexes the event logs on that device.

Now, i've setup to forward the events to the dedicated splunk box. On the the dedicated splunk box, i see the hostname of the domain controller.

But none of the events are being forwarded... any thoughts?

[Revised on Tue, 13 May 2008 19:30:58 -0700]

So on the domain controller, do i need to indicate what i wish to foward or does it automatically forward everything?

Hmmm, weird! When you search on the hostname of the DC in Splunk over all time, you get no results? How did you set up forwarding?

"araitz" Please correct me if i am wrng.
What i learnt till now is for forwarding we must enable it by specifying the IP and portid of the receiver and also must specify the receiver Splunk with the IP and portid which is sending out the data. Also after making these settings, restart the Splunk for both the sides.

I have specified both (default is 9997 for receiver and 8089 from the sender). Still nothing.

[Revised on Wed, 14 May 2008 12:28:53 -0700]

Under admin, on the distributed tab, i specified the that the splunk server should receive on 9997 (from other splunk servers)
On the forwarder, i defined the hostname and the port that it should send its events to.

Can you please post the inputs.conf and outputs.conf from the forwarder as well as the inputs.conf from the receiver?

host = splunkserver.com (receiver)

[splunktcp:9997]
disabled = false
queue = indexQueue
sourcetype = tcp-9997

[tcp:514]
disabled = true
queue = parsingQueue
sourcetype = syslog

[udp://514]
disabled = false
sourcetype = syslog

inputs.conf from forwarder

[WinEventLog:System]
disabled = 0

[WinEventLog:Security]
disabled = 0

[WinEventLog:Application]
disabled = 0

host = xxxxx

***

outputs.conf from forwarder

[tcpout]

1. source: C:\Program Files\Splunk\etc\bundles\local\outputs.conf

defaultGroup = default-clone-group-splunkserver_com_9997
disabled = false
indexAndForward = false

[tcpout:default-clone-group-splunkserver_com_9997]
disabled = false
server = splunkserver.com:9997

If you look in splunkd.log on either side, do you see errors? Do you see indications that the connection is being made? Can you telnet from the forwarder to the indexer on 9997?

alex,

You know, i just realized something.

Once i loaded Splunk as a forwarder, i expected it to forward all the existing logs. Which is about 5000 events.

But what i noticed, is that as a forwarder, it will only pass on events occuring after the installation.

Is the behavior correct?

That is correct, we will only read from the bottom of the file. It would be very bad from the EventLog API and Splunk index point of view if we tried to index old events in the event log.