Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I debug syslog that dont get into splunk whereas I can see the log when I use tcpdump

ryanf
Engager
‎09-05-2024 12:30 AM

Hi everyone,

I’m currently sending vCenter logs via syslog to Splunk and have ensured that the syslog configuration and index name on Splunk is correct. However, the logs still aren’t appearing in the index.

I have tried to tcpdump and I can see the logs arriving at my Splunk instance.

below I attach the syslog configuration and tcpdump result on my splunk instance.

syslog tcpdump.jpg

WhatsApp Image 2024-09-05 at 14.10.09_4daa6736.jpg

What could be the cause of this issue, and what steps should I take to troubleshoot it?

Thanks for any insights!

Labels (1)
Labels
0 Karma
Reply

JohnEGones
Communicator
‎09-05-2024 06:57 AM

A few questions:

Do you have a TA for the logs you are ingesting and are they set-up on all the needed Splunk components, check your DOCs?

Looking at the _internal logs, do you see that Splunk has ingested them?

Can you do a search for a string that exists in your logs across all you indexes and find any responsive logs, in the time you verified that the data was ingested?

 

Also, for syslog data in general it is simpler and more durable to forward data to a syslog server and have a UF monitor relevant files and then you set-up monitoring stanzas per host/data source.

[monitor://var/log...whatever]
whitelist = regex
blacklist = regex
host_segment = as needed
crcSalt = <SOURCE> {as needed}
sourcetype = syslog {or whatever you want}
index = yourIndex

 

Consult also: How the Splunk platform handles syslog data over the UDP network protocol - Splunk Documentation

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...