Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to reconfigure syslog-ng when file is getting updated but data isn't getting into indexer (Universal Forwarder)?

martinnepolean
Explorer
‎09-01-2020 02:38 AM

Hi,

We have configured syslog-ng to send data to indexers, Sometimes, the syslog file is getting updated but data is not getting into indexer. For the same index we are getting data from other files but only one file is not getting indexed. We have to restart syslog splunk process to get the indexing

We have below setting configured already.

[thruput]
maxKBps = 0

[inputproc]
max_fd = 1000

[tcpout:targetgrpmaster]
autoLBFrequency = 30
indexerDiscovery = masterindexdiscovery
forceTimebasedAutoLB = True
maxQueueSize = 128MB

[general]
parallelIngestionPipelines = 6

[queue]
maxSize = 256MB

[queue=parsingQueue]
maxSize = 128MB

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-02-2020 09:37 AM

Hi

can you explain this little bit more?

Are you running syslog-ng on the same box and collecting events to file(s) by it and then ingesting those with splunk or are you sending events directly to splunk udp/tcp port?

Can you share your input definitions?

r. Ismo

0 Karma
Reply

martinnepolean
Explorer
‎09-03-2020 01:37 AM

Hi Ismo,

 

Yes, we are using syslog-ng and collect data using UCP&TCP to log file and using UF inputs.conf and outputs.conf, we are sending it to splunk indexers

 

 

[monitor:///opt/syslog_ng/logs/juniper/.../*.log]
sourcetype = juniper:firewall
index = juniper_index
#_TCP_ROUTING = splunkprodhf
ignoreOlderThan = 30d
disabled = false
host_segment = 5

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-04-2020 10:44 AM

Hi

this inputs.conf seems to be used for several nodes. Are all other working or have those also issues time by time? 

Are there any other inputs or is these syslog files only in use?

The node which you are using is linux UF with splunk UF version x.x.x?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...