topic Re: syslog forwarding data with HA in Getting Data In

syslog forwarding data with HA

surekhasplunk — Sun, 05 Jul 2020 01:45:15 GMT

I have two syslog servers syslog1 and syslog2

For all of the sources i am getting the data into both the syslog servers but indexing data from 1 syslog.

But for one of the sources i a receiving data only on one syslog server that is syslog1 and not on syslog2.

But everything else right now is getting forwarder from syslog2.

Now i dont know how and where to start trouble shooting from

Please help.

Re: syslog forwarding data with HA

gcusello — Sun, 05 Jul 2020 08:43:51 GMT

Hi @surekhasplunk ,

you spoke of HA, does this mean that you have also a Load Balancer in front of the two syslog servers?

If not, you don't have HA, so think to add this laier to your architecture.

If yes it could be possible that it's the LB to distribute traffic in only one syslog server.

You can test this turning off one of them and verifying that the other continue to receive and forward all the syslogs.

Then how do you verified that only one server is sending its syslogs to the Indexer?

Ciao.

Giuseppe

Re: syslog forwarding data with HA

surekhasplunk — Mon, 06 Jul 2020 02:13:10 GMT

Hi @gcusello ,

currently i am receiving data getting indexed from syslog1 server for 2 different sources/indexes.

But i am receiving data on syslog2 server for 1 source/index.

and yes load balancer is there balancing in terms of volume.

while we are investigating why 2nd source/index is not received on syslog2 server i need your help in understanding why in this scenario syslog1's data is not getting indexed for both source types.

Re: syslog forwarding data with HA

gcusello — Mon, 06 Jul 2020 05:33:18 GMT

Hi @surekhasplunk ,

as i said, probably is the Load Balancer that's sending logs to only one syslog server for one of the sources, check if your indexers is receiving all the logs and what happens if you turn off one of the syslog servers.

Ciao.

Giuseppe

Re: syslog forwarding data with HA

surekhasplunk — Mon, 06 Jul 2020 09:37:53 GMT

Hi ,

In the indexer i am seeing below info without anything getting indexed.

07-06-2020 10:11:54.836 +0100 INFO CMSlave - event=setBucketSummaries bid=fgt~XXX~XXXXX update=fgt~XXX~XXXXXX
07-06-2020 10:11:54.836 +0100 INFO CMRepJob - running job=CMUpdateSummaries_AndRegisterSummariesSuccess updates=fgt~XXX~XXXXX

Not sure what this means

Re: syslog forwarding data with HA

gcusello — Mon, 06 Jul 2020 09:40:45 GMT

Hi @surekhasplunk ,

in normal working, are you seeing all the logs or not?

did you tried to turn off one of the syslogs servers?

Ciao.

Giuseppe