Hi team,

I have a Windows 10 machine sending logs to Splunk Enterprise.

For that I opened a port tcp 514.

Checking on metrics.log I see the events being delivered to Splunk (the IP for Windows 10 is 192.168.2.11)

02-09-2023 08:55:06.031 +0000 INFO Metrics - group=tcpin_connections, 192.168.2.11:49713:514, connectionType=raw, sourcePort=49713, sourceHost=192.168.2.11, sourceIp=192.168.2.11, destPort=514, kb=0.000, _tcp_Bps=0.000, _tcp_KBps=0.000, _tcp_avg_thruput=0.012, _tcp_Kprocessed=339.454, _tcp_eps=0.000, _process_time_ms=0, evt_misc_kBps=0.000, evt_raw_kBps=0.000, evt_fields_kBps=0.000, evt_fn_kBps=0.000, evt_fv_kBps=0.000, evt_fn_str_kBps=0.000, evt_fn_meta_dyn_kBps=0.000, evt_fn_meta_predef_kBps=0.000, evt_fn_meta_str_kBps=0.000, evt_fv_num_kBps=0.000, evt_fv_str_kBps=0.000, evt_fv_predef_kBps=0.000, evt_fv_offlen_kBps=0.000, evt_fv_fp_kBps=0.000

I can see events from yesterday from that machine but today I see nothing.

Events are sent on syslog format with message in CEF.

So, why I can see yesterday events but not today events even if I see the events getting to Splunk server?

Where can I check any log that let me know if something is getting wrong?

Thanks in advance