Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Heavy Forwarders stopped receiving some logs

vnguyen46
Contributor
‎02-13-2020 12:44 PM

Hi,

I have a new HF once accepted logs for about a week, then stopped receiving on almost all logs at a same time.
I compared this HF with the old working one and I don't see rotated logs created on the new HF.

For instance, in log1 directory, I see log1.log and several other copies like log1.log-date1.gz and log1.log-date2.gz and so on, but on the new HF I only see log1.log.

I think not creating rotated logs on the HF could be the issue, but not sure and how to have these rotated logs created.
Anyone can help, I appreciate it.

Thanks,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2020 12:53 PM

Have you verified the new HF is running (splunk status)?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vnguyen46
Contributor
‎02-13-2020 12:59 PM

Hi - yes, it's running. I don't see any .gz files in any directories.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2020 05:01 PM

Heavy Forwarders typically don't use a directory called "log1" so I wonder if you're looking at a syslog directory. If so, make sure the syslog process is running and data sources are still sending to it (no new firewall rule is blocking them, for instance).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vnguyen46
Contributor
‎02-14-2020 04:34 AM

Hi richgalloway - on HF, log stored at: /opt/splunklogs/hostname/hostname.log
I also see some files like hostname.log-timestamp.gz. Are these .gz files created by Splunk and supposed to be there?

Thank you,

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-14-2020 01:44 PM

Usually those are created e.g. some syllogism variant not Splunk. You should figure out which tool is used on your environment to deliver / received those logs. Many times it is syslog, syslog-ng or rsyslog. And on network topology there could be a load balancer before those HF hosts to distribute events to all of those hosts.

And probably there is also some log rotation tools to rotate and zip those logs?

R. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...