https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471932#M81097 <P>Hi - yes, it's running. I don't see any .gz files in any directories.</P> Thu, 13 Feb 2020 20:59:30 GMT vnguyen46 2020-02-13T20:59:30Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471930#M81095 <P>Hi,</P> <P>I have a new HF once accepted logs for about a week, then stopped receiving on almost all logs at a same time.<BR /> I compared this HF with the old working one and I don't see rotated logs created on the new HF.</P> <P>For instance, in log1 directory, I see log1.log and several other copies like log1.log-date1.gz and log1.log-date2.gz and so on, but on the new HF I only see log1.log.</P> <P>I think not creating rotated logs on the HF could be the issue, but not sure and how to have these rotated logs created.<BR /> Anyone can help, I appreciate it.</P> <P>Thanks,</P> Thu, 13 Feb 2020 20:44:46 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471930#M81095 vnguyen46 2020-02-13T20:44:46Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471931#M81096 <P>Have you verified the new HF is running <CODE>(splunk status)</CODE>?</P> Thu, 13 Feb 2020 20:53:01 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471931#M81096 richgalloway 2020-02-13T20:53:01Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471932#M81097 <P>Hi - yes, it's running. I don't see any .gz files in any directories.</P> Thu, 13 Feb 2020 20:59:30 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471932#M81097 vnguyen46 2020-02-13T20:59:30Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471933#M81098 <P>Heavy Forwarders typically don't use a directory called "log1" so I wonder if you're looking at a syslog directory. If so, make sure the syslog process is running and data sources are still sending to it (no new firewall rule is blocking them, for instance).</P> Fri, 14 Feb 2020 01:01:19 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471933#M81098 richgalloway 2020-02-14T01:01:19Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471934#M81099 <P>Hi richgalloway - on HF, log stored at: /opt/splunklogs/hostname/hostname.log<BR /> I also see some files like hostname.log-timestamp.gz. Are these .gz files created by Splunk and supposed to be there?</P> <P>Thank you,</P> Fri, 14 Feb 2020 12:34:14 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471934#M81099 vnguyen46 2020-02-14T12:34:14Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471935#M81100 <P>Usually those are created e.g. some syllogism variant not Splunk. You should figure out which tool is used on your environment to deliver / received those logs. Many times it is syslog, syslog-ng or rsyslog. And on network topology there could be a load balancer before those HF hosts to distribute events to all of those hosts.</P> <P>And probably there is also some log rotation tools to rotate and zip those logs?</P> <P>R. Ismo</P> Fri, 14 Feb 2020 21:44:28 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarders-stopped-receiving-some-logs/m-p/471935#M81100 isoutamo 2020-02-14T21:44:28Z