Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: BlueCoat logs are not Processing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BlueCoat logs are not Processing
Hello ,
In our splunk environment ,blueCoat logs are getting into Forwarder, but they aren't getting into the indexer from the forwarder . can anyone help us in troubleshooting or to find where the Problem is .Thanks in advance .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post additional information to help clarify your issue?
- Are the logs being sent to syslog and then being forwarded to Splunk?
- Are you using a heavy or universal forwarder?
- Is the forwarder configured to forward other event logs or only BlueCoat? If the former, are the other event logs being properly forwarded to Splunk?
- Have you tried stopping and restarting the forwarder service?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
some times when I try to find the "bluecoat_syslogs" through the search head , i'm getting the logs sometimes and sometimes it gives 'no results found' . May i know why this is happening ,how to overcome the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Adam ,
We are using Heavy forwarder . the logs are being sent to syslog and then forwarded to heavy forwarder,from the forwarder the logs are unable to getting into Indexer.
It was yesterday morning around 5.45 am is the last updated and up to now we are unable to see any log being getting generated
Other event logs are being properly forwarded and indexed .
I have restarted the forwarder service and still unable to find the logs being updated .
-Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the BlueCoat logs still being forwarded to the syslog server? Have you noticed errors in any of the log files (splunkd.log, etc.)?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello Adam ,
This is the stanza we tried to execute and check for the logs
"[monitor:///opt/syslogs/proxy/...]
whitelist = .log$
sourcetype = bluecoat_syslog
index = net_proxy
host_segment = 4"
We have verified the splunkd.log , we cannot see any error in that .the data is getting injected but it is intermediate .
Is there any other way to fix it Permanently,
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
