Not getting data in Edge Processor

adrifesa95 · ‎02-20-2024

Hello everyone,

I am trying to send syslog data to my Edge Processor and it is the first time and it seems that it is not as simple as Splunk proposes.

I am sending the data to port 514 TCP which is listening, the edge processor service is up and seems to be working.

With a tcpdump it seems to get something to port 514, I put an example of the output:

root@siacemsself01:/splunk-edge/etc# tcpdump -i any dst port 514 -Ans0
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:00:33.644148 ens32 In IP 10.100.11.46.34344 > 10.100.11.237.514: Flags [.], ack 791814934, win 502, options [nop,nop,TS val 441690529 ecr 2755011762], length 0
E..43.@.@...
d..
d...(...^../2#......S.....
.S...6$.

But in the instance section nothing appears as inbound data.

I also found this in the edge.log file:

2024/02/20 11:40:33 workload exit: collector failed to start in idle mode, stuck in closing/closed state
{"level":"INFO","time":"2024-02-20T11:40:49.752Z","location":"teleport/plugin.go:100","message":"starting plugin","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"INFO","time":"2024-02-20T11:40:49.752Z","location":"teleport/plugin.go:179","message":"starting collector in idle mode","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"INFO","time":"2024-02-20T11:40:49.752Z","location":"logging/redactor.go:55","message":"startup package settings","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0","settings":{}}
{"level":"INFO","time":"2024-02-20T11:40:49.752Z","location":"teleport/plugin.go:198","message":"waiting new connector to start","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"INFO","time":"2024-02-20T11:40:49.752Z","location":"config/conf_map_factory.go:127","message":"settings is empty. returning nop configuration map","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"WARN","time":"2024-02-20T11:40:49.752Z","location":"logging/redactor.go:50","message":"unable to clone map","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0","error":"json: unsupported type: map[interface {}]interface {}"}
{"level":"INFO","time":"2024-02-20T11:40:49.753Z","location":"service@v0.92.0/telemetry.go:86","message":"Setting up own telemetry...","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"INFO","time":"2024-02-20T11:40:49.753Z","location":"service@v0.92.0/telemetry.go:203","message":"Serving Prometheus metrics","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0","address":"localhost:8888","level":"Basic"}
{"level":"INFO","time":"2024-02-20T11:40:49.754Z","location":"service@v0.92.0/service.go:151","message":"Starting otelcol-acies...","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0","Version":"92e64ca1","NumCPU":2}
{"level":"INFO","time":"2024-02-20T11:40:49.754Z","location":"extensions/extensions.go:34","message":"Starting extensions...","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"INFO","time":"2024-02-20T11:40:49.754Z","location":"service@v0.92.0/service.go:177","message":"Everything is ready. Begin running and processing data.","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"ERROR","time":"2024-02-20T11:40:49.754Z","location":"otelcol@v0.92.0/collector.go:255","message":"Asynchronous error received, terminating process","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0","error":"listen tcp 127.0.0.1:8888: bind: address already in use","callstack":"go.opentelemetry.io/collector/otelcol.(*Collector).Run\n\tgo.opentelemetry.io/collector/otelcol@v0.92.0/collector.go:255\ncd.splunkdev.com/data-availability/acies/teleport.(*Plugin).startCollector.func1\n\tcd.splunkdev.com/data-availability/acies/teleport/plugin.go:193"}
{"level":"INFO","time":"2024-02-20T11:40:49.754Z","location":"service@v0.92.0/service.go:191","message":"Starting shutdown...","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"INFO","time":"2024-02-20T11:40:49.754Z","location":"extensions/extensions.go:59","message":"Stopping extensions...","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"INFO","time":"2024-02-20T11:40:49.754Z","location":"service@v0.92.0/service.go:205","message":"Shutdown complete.","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"ERROR","time":"2024-02-20T11:40:49.754Z","location":"teleport/plugin.go:194","message":"failing to startup","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}
{"level":"ERROR","time":"2024-02-20T11:40:49.852Z","location":"teleport/plugin.go:227","message":"collector failed to start in idle mode, stuck in closing/closed state","service":"edge-processor","hostname":"siacemsself01","commit":"92e64ca1","version":"1.0.0"}

Any idea about what it's happening?

adrifesa95 · ‎02-21-2024

There is only one! I deleted the others. Can someone help me?

adrifesa95 · ‎02-20-2024

I deleted onee

richgalloway · ‎02-20-2024

Please don't post the same question twice. Please delete one of them.

---
If this reply helps you, Karma would be appreciated.

Not getting data in Edge Processor

syslog

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...