https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379771#M68600 <P>Are you seeing errors at index=_internal source splunkd?</P> Thu, 20 Sep 2018 10:45:38 GMT dauren_akilbeko 2018-09-20T10:45:38Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379770#M68599 <P>I installed Splunk last week, and I'm only collecting data (syslog) from one source.</P> <P>Data stopped being collected this morning. I use Wireshark on the source server and Splunk, and I see that syslog are coming and going, but I don't see logs in Splunk. Latest event 3 hours ago.</P> <P>License: Trial license group<BR /> License expiration Nov 17, 2018 4:04:30 PM<BR /><BR /> Licensed daily volume 500 MB<BR /><BR /> Volume used today 121 MB (24.135% of quota)<BR /><BR /> OS Windows 10 (Microsoft Windows [Version 10.0.16299.15])<BR /> SPLUNK Version:7.1.3 Build:51d9cac7b837</P> Thu, 20 Sep 2018 09:21:13 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379770#M68599 lorder 2018-09-20T09:21:13Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379771#M68600 <P>Are you seeing errors at index=_internal source splunkd?</P> Thu, 20 Sep 2018 10:45:38 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379771#M68600 dauren_akilbeko 2018-09-20T10:45:38Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379772#M68601 <P>You should read or watch this excellent session from .conf 2017 - it was a very well attended session. This will give you a best practice syslog server to collect the logs:</P> <P><A href="http://conf.splunk.com/sessions/2017-sessions.html#search=critical%20syslog%20tricks&amp;">http://conf.splunk.com/sessions/2017-sessions.html#search=critical%20syslog%20tricks&amp;</A><BR /> <A href="https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about.pdf">https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about.pdf</A></P> Thu, 20 Sep 2018 17:52:48 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379772#M68601 JDukeSplunk 2018-09-20T17:52:48Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379773#M68602 <P>hi @lorder,</P> <P>Could you give us some more context on this issue? For instance, as @dauren_akilbekov said, have you documented any errors that you could post? The more information you provide the community, the better chance you have of getting your question answered.</P> <P>Thanks for posting!</P> Thu, 20 Sep 2018 20:51:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379773#M68602 mstjohn_splunk 2018-09-20T20:51:32Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379774#M68603 <P>I use "index=_internal log_level=ERROR" and last eerors is:</P> <P>09-20-2018 16:40:21.585 +0500 ERROR KVStoreBulletinBoardManager - KV Store changed status to failed. KVStore process terminated.</P> <P>09-20-2018 16:40:21.584 +0500 ERROR KVStoreBulletinBoardManager - KV Store process terminated abnormally (exit code 14, status exited with code 14). See mongod.log and splunkd.log for details.</P> <P>09-20-2018 16:40:21.568 +0500 ERROR MongodRunner - mongod exited abnormally (exit code 14, status: exited with code 14) - look at mongod.log to investigate.</P> <P>2018-09-20 11:53:28,490 ERROR [5ba0dbbf9d126fbfbf240] root:130 - ENGINE: Handler for console events already off.</P> Tue, 29 Sep 2020 21:18:08 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-collecting-syslog-logs/m-p/379774#M68603 lorder 2020-09-29T21:18:08Z