We have a Splunk Cloud that is replacing our On-prem. We currently have firewall logs going to a Syslog server that is then being sent to Splunk Cloud. We have installed the App/Add-on on the search head and it is mostly being used for CIM as the rsyslog is doing most of the work. We have an issue where we are not seeing any new data in our Splunk Cloud. I have checked the rsyslog.conf and everything appears right as far as what file path it is monitoring and what IP's it is getting it from. I have checked and confirmed all new logs are still going to the syslog server and data is is still going to our on-prem server.
It would appear to be some disconnect between the Syslog server and our splunk cloud, but not 100% what else to check at this moment
You must have something that connects rsyslog to Splunk Cloud. Usually, that's a Universal Forwarder, but it could be a heavy forwarder. Verify that the forwarder is running. Check the log for errors that may indicate why data is not flowing.
--- If this reply helps you, an upvote would be appreciated.
Thank you for the reply. I checked and all seems to be well with this. However, looking through the logs again I did see an error where it is Enqueing a very large log file (the one it is sending to the cloud) and has a large number of bytes to read, so that appears to be causing some issues as I think it may be getting backed up and not sending.
I checked and we have 2 parallel ingestion pipelines and our max throughput is 0.