This topic lists known issues that are specific to the universal forwarder.
Universal forwarder issues
|Date filed||Issue number||Description|
|2016-06-16||SPL-122917, SPL-119172||ERROR AuditTrailManager - Private key error Error opening private.pem: The system cannot find the path specified.|
Workaround: This message should be benign, particularly on a forwarder.
If you need them for signedAudit=true stanzas in inputs.conf, create the audit keys: splunk createssl audit-keys
if you don't need to sign any events, emove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.
|2015-04-14||SPL-99687, SPL-129637||Splunk universal forwarder is 7-10 days behind recent Windows Security and system log events.|
Workaround: To mitigate this, edit the following stanza in inputs.conf: [WinEventLog://Security] evt_resolve_ad_obj = 0.
|2015-04-07||SPL-99316||Universal Forwarders stop sending data repeatedly throughout the day|
Workaround: In limits.conf, try changing file_tracking_db_threshold_mb in the [inputproc] stanza to a lower value.
|2014-08-05||SPL-88396||After configuring a client name for a deployment client, the name is not shown in the Forwarder Management UI|
Workaround: Create a server class, where you can see the client name, and use that group when you add data.
|2013-09-18||SPL-74427, SPL-74448||The Splunk universal forwarder installer for Solaris 10 does not add the splunk user when you attempt to install it using the pkgadd command. This results in the script generating lots of errors.|
Workaround: To work around this issue, create a splunk user on your system before attempting to run the installer.
Troubleshoot the universal forwarder with Splunk Enterprise
This documentation applies to the following versions of Splunk® Universal Forwarder: 6.5.1