https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34308#M6227 <P>I found the problem. The same day of the update, a configuration change had been made in props.conf (under ./etc/system/local). A stanza had been created to match data sent by three specific hosts (just say: serverA, serverB and serverC). There was a typo in this stanza name! It had been defined as:</P> <P>[host::serverA|host::serverB||host::serverC]</P> <P>instead of</P> <P>[host::serverA|host::serverB|host::serverC]</P> <P>The double "||" caused a "match-all" situation. In addition, this stanza has a conditional redirect of all the events, with the exception of the required ones, to the null queue. All the syslog events, as a result, were discarded!</P> Mon, 19 Aug 2013 09:10:08 GMT mas 2013-08-19T09:10:08Z https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34305#M6224 <P>After the upgrade to Splunk 5.0.3, my syslog data sources suddenly stopped to work. Using MS Network Monitor and Wireshark, I am able to see syslog packets reaching the server. Upgrading to 5.0.4 did not resolve the issue.</P> <P>Splunk is installed on a Windows 2008 R2 machine.</P> <P>Anyone experiencing the same problem?</P> Wed, 14 Aug 2013 09:07:44 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34305#M6224 mas 2013-08-14T09:07:44Z https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34306#M6225 <P>Can you verify your inputs? Did you make changes in a default/inputs.conf file? They may have been overwritten. Does the input appear in the manager?</P> Thu, 15 Aug 2013 17:24:37 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34306#M6225 alacercogitatus 2013-08-15T17:24:37Z https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34307#M6226 <P>Hi alacercogitatus, thank you for your answer. I never change conf files in "default" folders. The input appears in the manager. In addition, I tried to install a syslog server (temporary disabling the input source) and syslog messages were traced correctly.</P> <P>It seems that Splunk is refusing to collect data for this data source.</P> Mon, 19 Aug 2013 06:56:51 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34307#M6226 mas 2013-08-19T06:56:51Z https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34308#M6227 <P>I found the problem. The same day of the update, a configuration change had been made in props.conf (under ./etc/system/local). A stanza had been created to match data sent by three specific hosts (just say: serverA, serverB and serverC). There was a typo in this stanza name! It had been defined as:</P> <P>[host::serverA|host::serverB||host::serverC]</P> <P>instead of</P> <P>[host::serverA|host::serverB|host::serverC]</P> <P>The double "||" caused a "match-all" situation. In addition, this stanza has a conditional redirect of all the events, with the exception of the required ones, to the null queue. All the syslog events, as a result, were discarded!</P> Mon, 19 Aug 2013 09:10:08 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-data-source-and-Splunk-5-0-3-on-Windows-2008/m-p/34308#M6227 mas 2013-08-19T09:10:08Z