topic Re: Syslog disk full Alert after changing hostname of the server in Deployment Architecture

Syslog disk full Alert after changing hostname of the server

thesriidhar — Mon, 25 Aug 2014 05:18:55 GMT

Dear Helpers,

I'm keep getting syslog disk full alert, after changing the hostname of the server, where I installed splunk forwarder to forward all the logs to the Splunk indexing server.

As I checked, that is occupied only 16 % of the disk space.

Kindly help me on this issue.

Million thanks in advance !!!

Re: Syslog disk full Alert after changing hostname of the server

MuS — Mon, 25 Aug 2014 07:26:19 GMT

Hi, I'pretty sure this is not caused nor related to Splunk. perform basic troubleshooting where and why those messages occur and fix that problem.

Re: Syslog disk full Alert after changing hostname of the server

grijhwani — Mon, 25 Aug 2014 13:25:43 GMT

If you have changed the host name, have you also change its IP address? If Splunk was configured to allow access only from the original IP then that could be your problem. Doubtful though.

Not sure why you would want to begin by blaming Splunk. I'd be inclined to treat the error message literally to begin with. (Most errors say what they mean.) Has your changing the name of the host caused errors elsewhere in the system which has caused sufficient error messages to be generated that the local syslog partition is in fact full? Do you have any log rotation? Is the problem correspondence with the change of hostname purely coincidental? These are all novice questions. If you are running Linux as a novice, you need to understand that changing the host name may have consequences you have not allowed for. Quite aside from the issue you may or may not be having with Splunk you need to understand those first, and seek help in a more appropriate forum (linuxquestions.org for example).

Re: Syslog disk full Alert after changing hostname of the server

thesriidhar — Wed, 27 Aug 2014 05:25:28 GMT

Hello MuS,

thanks for the info / response ...

As I checked, when I change the hostname I need to update the same in the following:

/opt/splunkforwarder/etc/system/local/input.conf

/opt/splunkforwarder/etc/system/local/server.conf

once it is done, now the new name is reflecting. But again I could see the old one as well with the error "Missing" in the splunk server.

Do you have any clue on this ?

Re: Syslog disk full Alert after changing hostname of the server

MuS — Wed, 27 Aug 2014 05:54:39 GMT

The old host will found by searches as long as it is available in your data and/or metadata. Maybe you should look at the delete command which will hide events from showing up in searches http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delete

Re: Syslog disk full Alert after changing hostname of the server

thesriidhar — Wed, 27 Aug 2014 06:29:27 GMT

thanks a lot for the information MuS.

Just now checked, there is no old entry. I didn't made any change other than changing the hostname in the above mentioned files.

Now I'm good now.

Million thanks for your efforts / time.

Let me come-up with my other doubts and queries.

I love this community.

Re: Syslog disk full Alert after changing hostname of the server

MuS — Wed, 27 Aug 2014 06:55:29 GMT

feel free to up-vote and or accept any answers to show your support - and you will get karma too 😉

Re: Syslog disk full Alert after changing hostname of the server

thesriidhar — Wed, 27 Aug 2014 08:50:20 GMT

If you rename the syslog server (linux), need to change the same host name in the following files:

/opt/splunkforwarder/etc/system/local/input.conf

/opt/splunkforwarder/etc/system/local/server.conf

Once it is done, need to restart the Splunk services.

/etc/init.d/splunk restart

After it is done, it will reflect with in 10 mins. (But still Splunk will show the same old host name as well, but after 24 hours it will remove it automatically.)

Finally worked for me.

Thank you all for your time n efforts !!!