topic Re: Not receiving logs from Syslog Server in Getting Data In

Not receiving logs from Syslog Server

damode — Tue, 27 Feb 2018 00:05:56 GMT

I have set up a universal forwarder to read logs from kiwi syslog server.
Universal Forwarder is set to forward logs to the Indexer via Heavy Forwarder.
I have also set up the Heavy Forwarder as deployment server.
I have deployed the following inputs.conf to the U.F by deploying an app from the deployment server.

[monitor://C:\Program Files (x86)\Syslogd\Logs\x.x.x.x\log*.txt]
index = main
sourcetype = syslog
disabled = false

With all the above settings, I still cant see any logs on the Indexer.
I have confirmed following things already,

U.F has the right privilege to read logs from syslog's log folder.
network connection established between Syslog Server and H.F on H.F's port 9997 and 8089.
receiving port 9997 on Indexer enabled.

splunk btool inputs list monitor command also does not work on the U.F
Please help me troubleshoot this.
Thank you.

Re: Not receiving logs from Syslog Server

stefanhutchison — Tue, 27 Feb 2018 00:37:08 GMT

Any messages in the splunkd.log file on the universal forwarder? It would be in Splunk_home\var\log\splunk\splunkd.log

Re: Not receiving logs from Syslog Server

damode — Tue, 27 Feb 2018 01:16:44 GMT

There are only INFO messages.

Strangely, after I restarted the universal forwarder and re-deployed the app, I was able to see logs on the Indexer now. However, I am still unsure where was the fault.

Does restarting the U.F or splunk reload deploy-server both required to apply config settings on U.F ?

Also, in Forwarder Management, it shows me all info like apps, server classes and deployment client, however, in Settings-->Server Settings--> Deployment Client, it shows nothing at all. Any reason why ?