<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: rsyslog no send logs in specific ip range in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/rsyslog-no-send-logs-in-specific-ip-range/m-p/511427#M86871</link>
    <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;with the command&amp;nbsp;&lt;STRONG&gt;netstat -an | grep 9997&lt;/STRONG&gt; you are guaranteeing that the server has the port open and in the listening state&lt;/P&gt;&lt;P&gt;The problem was due to the policies of one of the firewalls&lt;/P&gt;</description>
    <pubDate>Wed, 29 Jul 2020 00:06:16 GMT</pubDate>
    <dc:creator>splunkcol</dc:creator>
    <dc:date>2020-07-29T00:06:16Z</dc:date>
    <item>
      <title>rsyslog no send logs in specific ip range</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/rsyslog-no-send-logs-in-specific-ip-range/m-p/509919#M86715</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;I have 2 indexers&lt;/P&gt;&lt;P&gt;with the command I confirm that port 9997 is open.&lt;/P&gt;&lt;P&gt;In one of the two indexers all the incoming connections remain in the "SYN_RECV" state&lt;/P&gt;&lt;P&gt;In the other indexer some are in the "SYN_RECV" state and others are "ESTABLISHED"&lt;/P&gt;&lt;P&gt;The funny thing is that one ip range if connected and the other ip range does not&lt;/P&gt;&lt;P&gt;tcpdump is a relative test, because those in the "ESTABLISHED" state are not recognized by ping, telnet, or sniffer but deliver the logs to the indexer and the indexer to the search head and are displayed normally&lt;/P&gt;&lt;P&gt;The firewall area says that the policies are correct.&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I am guaranteeing that port 9997 is in the listening state, is it a splunk configuration problem, or is it a transmission level network policy problem?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;STRONG&gt;192.168.71&lt;/STRONG&gt;.13:49603 &lt;STRONG&gt;SYN_RECV&lt;/STRONG&gt;&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;STRONG&gt;192.168.71&lt;/STRONG&gt;.13:49601 &lt;STRONG&gt;SYN_RECV&lt;/STRONG&gt;&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;U&gt;192.168.70&lt;/U&gt;.17:59856 &lt;U&gt;ESTABLISHED&lt;/U&gt;&lt;BR /&gt;tcp 315 0 172.27.29.71:9997 &lt;U&gt;192.168.70&lt;/U&gt;.16:56015 &lt;U&gt;ESTABLISHED&lt;/U&gt;&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;STRONG&gt;192.168.71&lt;/STRONG&gt;.12:57122 &lt;STRONG&gt;SYN_RECV&lt;/STRONG&gt;&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;U&gt;192.168.70&lt;/U&gt;.14:51241 ESTABLISHED&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;STRONG&gt;192.168.71&lt;/STRONG&gt;.13:49605 &lt;STRONG&gt;SYN_RECV&lt;/STRONG&gt;&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;STRONG&gt;192.168.71&lt;/STRONG&gt;.12:57119 &lt;STRONG&gt;SYN_RECV&lt;/STRONG&gt;&lt;BR /&gt;tcp 3877460 0 172.27.29.71:9997 172.29.4.39:34311 ESTABLISHED&lt;BR /&gt;tcp 0 0 172.27.29.71:9997 &lt;STRONG&gt;192.168.71&lt;/STRONG&gt;.13:49598 &lt;STRONG&gt;SYN_RECV&lt;/STRONG&gt;&lt;BR /&gt;tcp 3211190 0 172.27.29.71:9997 192.168.70.12:55205 ESTABLISHED&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 19 Jul 2020 20:49:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/rsyslog-no-send-logs-in-specific-ip-range/m-p/509919#M86715</guid>
      <dc:creator>splunkcol</dc:creator>
      <dc:date>2020-07-19T20:49:05Z</dc:date>
    </item>
    <item>
      <title>Re: rsyslog no send logs in specific ip range</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/rsyslog-no-send-logs-in-specific-ip-range/m-p/511427#M86871</link>
      <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;with the command&amp;nbsp;&lt;STRONG&gt;netstat -an | grep 9997&lt;/STRONG&gt; you are guaranteeing that the server has the port open and in the listening state&lt;/P&gt;&lt;P&gt;The problem was due to the policies of one of the firewalls&lt;/P&gt;</description>
      <pubDate>Wed, 29 Jul 2020 00:06:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/rsyslog-no-send-logs-in-specific-ip-range/m-p/511427#M86871</guid>
      <dc:creator>splunkcol</dc:creator>
      <dc:date>2020-07-29T00:06:16Z</dc:date>
    </item>
  </channel>
</rss>

