How to troubleshoot not receiving data in a specif...

splunk_luis12 · ‎08-04-2022

Hi folks,

I have a host that is sending different logs to Splunk, this host sends various logs successfully except for the syslog-ng logs.

Here you have an example of the inputs config (there are 3 inputs in this way not being received by Splunk)

[monitor:///store/data/log/cisco_ise]
disabled = false
host = xxxxxxxxxx
index = syslog
sourcetype = cisco:ise

Inputs appear when using the command 'splunk list monitor', then it doesn't seem a permissions issue.
Other logs are being successfully ingested by this host.
the syslog-ng is working as expected and it is receiving and storing logs on the hdd

Does anyone has an idea of steps I can follow to troubleshoot this?

Thanks in advance,

matt8679 · ‎08-04-2022

I'm guessing its a permission issue with your syslog-ng directory. I would check that your user running splunk has the proper permissions to ingest the logs. I would compare the permissions of the files that work to the syslog-ng files.

richgalloway · ‎08-04-2022

If the host is having problems reading certain logs or sending them to the indexers then there should be messages to that effect in splunkd.log.

---
If this reply helps you, Karma would be appreciated.

How to troubleshoot not receiving data in a specific index from a specific host?

heavy forwarder

inputs.conf

Linux

monitor

sourcetype

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

How to troubleshoot not receiving data in a specific index from a specific host?