<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Cisco ironport syslog broken pipe in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-ironport-syslog-broken-pipe/m-p/353733#M64741</link>
    <description>&lt;P&gt;Hello&lt;/P&gt;

&lt;P&gt;I configured Splunk to handle TCP syslog from ironport appliances:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcp://514]
connection_host = dns
index = ironport
source = mailinfra
sourcetype = cisco:esa:textmail
queueSize = 10MB
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;but there is quite a lot of alerts on ironport side:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Log Error: Subscription mrelay_mail_logs: Network error while sending log data to syslog server 10.91.2.3 (10.1.2.3): [Errno 32] Broken pipe
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Ironport sends the logs on a VIP which is forwarder to a pool of Splunk Heavy Forwarders.&lt;/P&gt;

&lt;P&gt;I'm gonna check if mulitples TCP sessions can be optimized on the loadbalancer but is there any specific Splunk inputs.conf  parameter I should check as well? thanks.&lt;/P&gt;</description>
    <pubDate>Tue, 14 Mar 2017 09:06:18 GMT</pubDate>
    <dc:creator>sassens1</dc:creator>
    <dc:date>2017-03-14T09:06:18Z</dc:date>
    <item>
      <title>Cisco ironport syslog broken pipe</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-ironport-syslog-broken-pipe/m-p/353733#M64741</link>
      <description>&lt;P&gt;Hello&lt;/P&gt;

&lt;P&gt;I configured Splunk to handle TCP syslog from ironport appliances:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcp://514]
connection_host = dns
index = ironport
source = mailinfra
sourcetype = cisco:esa:textmail
queueSize = 10MB
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;but there is quite a lot of alerts on ironport side:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Log Error: Subscription mrelay_mail_logs: Network error while sending log data to syslog server 10.91.2.3 (10.1.2.3): [Errno 32] Broken pipe
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Ironport sends the logs on a VIP which is forwarder to a pool of Splunk Heavy Forwarders.&lt;/P&gt;

&lt;P&gt;I'm gonna check if mulitples TCP sessions can be optimized on the loadbalancer but is there any specific Splunk inputs.conf  parameter I should check as well? thanks.&lt;/P&gt;</description>
      <pubDate>Tue, 14 Mar 2017 09:06:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-ironport-syslog-broken-pipe/m-p/353733#M64741</guid>
      <dc:creator>sassens1</dc:creator>
      <dc:date>2017-03-14T09:06:18Z</dc:date>
    </item>
    <item>
      <title>Re: Cisco ironport syslog broken pipe</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-ironport-syslog-broken-pipe/m-p/353734#M64742</link>
      <description>&lt;P&gt;Same problem here ? May I know any solution that I can do ? thanks&lt;/P&gt;</description>
      <pubDate>Fri, 12 May 2017 01:16:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-ironport-syslog-broken-pipe/m-p/353734#M64742</guid>
      <dc:creator>hkhkgais</dc:creator>
      <dc:date>2017-05-12T01:16:25Z</dc:date>
    </item>
  </channel>
</rss>

