https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476230#M81752 <P>"Verify the ports have a listener on them" - would you please give more details on this?</P> <P>Thanks,</P> Tue, 07 Jan 2020 18:34:56 GMT vnguyen46 2020-01-07T18:34:56Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476228#M81750 <P>Hi,<BR /> After migrated Splunk Enterprise to a new hardware, my HFs stop receiving logs over port 514/1514. It's verified these ports are open on the new HFs. The new system is receiving logs from UFs running on Windows and from Cloud-based (AWS).</P> <P>What other configuration needs to be done like syslog daemon or any things else for the new HFs to receive logs being sent over port 514/1514 like F5 and other network devices?</P> <P>Thank you, </P> Tue, 07 Jan 2020 17:33:54 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476228#M81750 vnguyen46 2020-01-07T17:33:54Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476229#M81751 <P>Verify the ports have a listener on them. Check your firewall(s) to ensure connectivity.<BR /> If the HF moved to a new address, make sure all clients have that address.</P> Tue, 07 Jan 2020 17:41:12 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476229#M81751 richgalloway 2020-01-07T17:41:12Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476230#M81752 <P>"Verify the ports have a listener on them" - would you please give more details on this?</P> <P>Thanks,</P> Tue, 07 Jan 2020 18:34:56 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476230#M81752 vnguyen46 2020-01-07T18:34:56Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476231#M81753 <P>Don't you think I need to configure the daemon syslog on the new HFs so they can receive the logs?</P> Tue, 07 Jan 2020 18:43:35 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476231#M81753 vnguyen46 2020-01-07T18:43:35Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476232#M81754 <P>I use <CODE>netstat -ln | grep 514</CODE>.</P> Tue, 07 Jan 2020 18:45:04 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476232#M81754 richgalloway 2020-01-07T18:45:04Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476233#M81755 <P>Yes, you absolutely need to do that.</P> Tue, 07 Jan 2020 18:47:29 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476233#M81755 richgalloway 2020-01-07T18:47:29Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476234#M81756 <P>I used nc and received this:<BR /> ss -lnt4p | grep 514<BR /> LISTEN 0 128 <EM>:514 *:</EM><BR /> LISTEN 0 128 127.0.0.1:51490 <EM>:</EM><BR /> LISTEN 0 128 <EM>:1514 *:</EM></P> <P>Does that mean I have listeners on both 514 and 1514?</P> Tue, 07 Jan 2020 20:47:13 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476234#M81756 vnguyen46 2020-01-07T20:47:13Z https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476235#M81757 <P>Hi Richgalloway,</P> <P>I'd like to circle back on HFs stopped receiving logs. All logs were once received well after system admin fixed the daemon log. Then last Thursday, HFs suddenly stopped receiving 9 out of 10 logs at almost same time. There is no issue with new logs. Disk space and network connection are not the cause. </P> <P>Would you please share what you think?</P> <P>Thank you,</P> Thu, 13 Feb 2020 19:35:06 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarder-not-receiving-logs/m-p/476235#M81757 vnguyen46 2020-02-13T19:35:06Z