I am attempting to send DNS logs from pi-hole to Splunk, I have the Universal forwarder installed on the Pihole and when I attempt to start Splunk on the UF I get the following error.
I confirmed that the Splunk host is listening on TCP 5353 for that connection and can ping the host from the pi-hole.
Any ideas on what I am missing?
05-29-2019 12:40:42.231 -0400 WARN TcpOutputFd - Connect to 10.0.155.157:5353 failed. No route to host
05-29-2019 12:40:42.231 -0400 ERROR TcpOutputFd - Connection to host=10.0.155.157:5353 failed
05-29-2019 12:40:42.232 -0400 WARN TcpOutputFd - Connect to 10.0.155.157:5353 failed. No route to host
05-29-2019 12:40:42.232 -0400 ERROR TcpOutputFd - Connection to host=10.0.155.157:5353 failed
root@raspberrypi:/opt/splunkforwarder/etc/system/local# ping 10.0.155.157
PING 10.0.155.157 (10.0.155.157) 56(84) bytes of data.
64 bytes from 10.0.155.157: icmp_seq=1 ttl=64 time=0.564 ms
64 bytes from 10.0.155.157: icmp_seq=2 ttl=64 time=0.530 ms
64 bytes from 10.0.155.157: icmp_seq=3 ttl=64 time=0.532 ms
![alt text][1]
Here are the config files on my pi-hole:
inputs.conf
root@raspberrypi:/opt/splunkforwarder/etc/system/local# cat inputs.conf
[default]
host = raspberrypi
[monitor:///var/log/pihole.log]
index = pihole
sourcetype = dnsmasq
disabled = false
outputs.conf
root@raspberrypi:/opt/splunkforwarder/etc/system/local# cat outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.155.157:5353
[tcpout-server://10.0.155.157:5353]
props.conf
root@raspberrypi:/opt/splunkforwarder/etc/system/local# cat props.conf
[dnsmasq]
NO_BINARY_CHECK = true
DATETIME_CONFIG =
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 24
[1]: /storage/temp/273796-screen-shot-2019-05-29-at-125730-pm.png
↧
