After building a deployment and a heavy forwarder on one server we seem to be having issues when we point the universal forwarders to the heavy forwarder. We are new to Splunk 6.3.1 and are not sure if there have been any changes in how to do this?
Overview:
We spun up two new Splunk heavy forwarders for a new company and need both of them to forward logs to our indexers. One of the new heavy forwarders will also act as a deployment server. When setting them up, my stanza are as follows;
Deployment app in `Splunk\etc\deployment-apps\App1\default` (outputs.conf)-
[tcpout]
defaultGroup = lb_group
disabled = false
heartbeatFrequency = 300
[tcpout:lb_group]
server = HF1.com:9997, HF2.com:9997
autoLB = true
disabled = false
HF config: `Splunk\etc\system\local` (outputs.conf)
[syslog:my_syslog_group]
#FWD logs to an IDS
disabled = false
server = 10.10.10.10:514
type = udp
sendCookedData = false
[tcpout]
defaultGroup = lb_group
disabled = false
[tcpout:lb_group]
server = idx01.com:9997, idx02.com:9997, idx03.com:9997
autoLB = true
disabled = false
Any input will help,
thank you in advance!
↧