Re: Forwarder stopped forwarding after restart of ...

johnsmithman2 · ‎08-09-2012

I am using the VMware Syslog collector to collect the logs from my ESXi hosts and send them to Splunk with the universal forwarder. Everything was working great until I restarted the server with the Syslog collector and the universal forwarder today. The logs are no longer being forwarded or Splunk is not indexing the received messages, what could cause this?

I know it is not a problem with the VMware Syslog collector because the service is running fine and the logs are being updated from the ESXi hosts.

Any ideas on what causes this after a restart?

idsiano · ‎03-18-2015

In this thread it was explained that is a VMWare issue

kreszan · ‎09-19-2014

I have similar issue @ 6.0. Any resolution to this ?

mrflibbleuk · ‎11-05-2012

Did you get any resolution to this one? I have had a similar issue, when I restarted the main Splunk server the Heavy forwarders seem to be unable to communicate to the server. Looking at the forwarder event logs I am getting an 'eventType=connect_fail' everytime it attempts to connect.

Sometimes restarting the splunk forwarder makes it psring back into life.

johnsmithman2 · ‎08-09-2012

Yes it is, I should have mentioned that also.

Drainy · ‎08-09-2012

Have you verified that the universal forwarder is also still running?

Forwarder stopped forwarding after restart of server

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation