Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to troubleshoot Syslog-ng -> Splunk issue?

echojacques
Builder
‎12-05-2013 07:51 AM

Hello,

My Splunk installation is configured to ingest data from many different sources. Approximately half of the sources are direct (device -> Splunk) and the other half are indexed from a syslog-ng server (device -> syslog -> Splunk). A few days ago, Splunk stopped indexing all data from the syslog server (about 10 different sourcetypes). I checked connectivity between the syslog server and Splunk and everything seems fine. I also rebooted the syslog server and Splunk. So at this point, I'm not sure what else to do or how to investigate this issue since it's not specific to one source/sourcetype. How can I troubleshoot this issue? Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

echojacques
Builder
‎12-05-2013 03:05 PM

After some digging around, we figured it out: our splunk forwarder service wasn't running on our syslog server. As soon as we started it, we started to see data from our syslog sources in Splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

echojacques
Builder
‎12-05-2013 03:05 PM

After some digging around, we figured it out: our splunk forwarder service wasn't running on our syslog server. As soon as we started it, we started to see data from our syslog sources in Splunk.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-05-2013 08:25 AM

Sounds like a problem with Syslog-ng.

  1. Are you receiving events with Syslog-ng?
  2. Are you writing to file, or using tcp/udp to Splunk? ( Syslog -> NG -> file -> Splunk ) OR (Syslog -> NG -> syslog -> Splunk)
  3. Are you using a forwarder at all?
Reply
Solved! Jump to solution

echojacques
Builder
‎12-05-2013 10:04 AM

We're running Linux 2.6.32-5...

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-05-2013 09:38 AM

What OS do you have?

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎12-05-2013 09:25 AM

I didn't find /opt/splunk or /opt/splunkforwarder in any of the splunk directories. I do have /opt/ but the directory is empty.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-05-2013 09:11 AM

do you have "/opt/splunk" or "/opt/splunkforwarder" on the system?

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎12-05-2013 09:03 AM

Hi,

  1. Yes, syslog-ng is receiving events.
  2. Writing to a file: syslog-ng -> file -> Splunk.
  3. I don't think so but how can I check if I am using a forwarder? Splunk professional services setup our Splunk and I'm still learning the ropes.

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...