Not getting normal logs from UPS, but test logs wo...

dg03 · ‎01-25-2024

I'm not very experienced with Splunk, but I've been asked to set up syslog forwarding from our UPS's to our Splunk server. I've configured it with the default settings, and pointed it towards our syslog server on the default syslog port. I'm able to get test logs from any severity to go through without issue, but I am unable to see any other type of logs.

NMC: AP9641

Syslog settings on device:

Port: 514

Protocol : UDP

Message Generation: Enabled

Facility Code: User (I've tried all the other options but I was still unable to see any logs)

Severity Mapping

Critical: Critical

Warning: Warning

Informational: Informational

datadevops · ‎01-28-2024

Hi there!

Seems like your test logs are working, but real-world ones aren't showing up. Here's what might be happening:

Filter Frenzy: Double-check your Splunk filters. You might have one accidentally hiding those juicy UPS logs.
Severity Sleight of Hand: Splunk might not be ingesting lower severity logs by default. Try adjusting your search filters or source type settings to include them.
Port Mismatch: Make sure your Splunk server is listening on port 514 for UDP traffic. A quick netstat check can confirm this.

If none of these work, give your Splunk logs a good scan for error messages related to UPS data. They might offer more specific clues.

~ If the reply helps, a Karma upvote would be appreciated

Not getting normal logs from UPS, but test logs work at any severity level

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation