Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to reconfigure syslog-ng when file is getting updated but data isn't getting into indexer (Universal Forwarder)?

martinnepolean
Explorer
‎09-01-2020 02:38 AM

Hi,

We have configured syslog-ng to send data to indexers, Sometimes, the syslog file is getting updated but data is not getting into indexer. For the same index we are getting data from other files but only one file is not getting indexed. We have to restart syslog splunk process to get the indexing

We have below setting configured already.

[thruput]
maxKBps = 0

[inputproc]
max_fd = 1000

[tcpout:targetgrpmaster]
autoLBFrequency = 30
indexerDiscovery = masterindexdiscovery
forceTimebasedAutoLB = True
maxQueueSize = 128MB

[general]
parallelIngestionPipelines = 6

[queue]
maxSize = 256MB

[queue=parsingQueue]
maxSize = 128MB

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-02-2020 09:37 AM

Hi

can you explain this little bit more?

Are you running syslog-ng on the same box and collecting events to file(s) by it and then ingesting those with splunk or are you sending events directly to splunk udp/tcp port?

Can you share your input definitions?

r. Ismo

0 Karma
Reply

martinnepolean
Explorer
‎09-03-2020 01:37 AM

Hi Ismo,

 

Yes, we are using syslog-ng and collect data using UCP&TCP to log file and using UF inputs.conf and outputs.conf, we are sending it to splunk indexers

 

 

[monitor:///opt/syslog_ng/logs/juniper/.../*.log]
sourcetype = juniper:firewall
index = juniper_index
#_TCP_ROUTING = splunkprodhf
ignoreOlderThan = 30d
disabled = false
host_segment = 5

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-04-2020 10:44 AM

Hi

this inputs.conf seems to be used for several nodes. Are all other working or have those also issues time by time? 

Are there any other inputs or is these syslog files only in use?

The node which you are using is linux UF with splunk UF version x.x.x?

r. Ismo

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...