Not getting normal logs from UPS, but test logs wo...

dg03 · ‎01-25-2024

I'm not very experienced with Splunk, but I've been asked to set up syslog forwarding from our UPS's to our Splunk server. I've configured it with the default settings, and pointed it towards our syslog server on the default syslog port. I'm able to get test logs from any severity to go through without issue, but I am unable to see any other type of logs.

NMC: AP9641

Syslog settings on device:

Port: 514

Protocol : UDP

Message Generation: Enabled

Facility Code: User (I've tried all the other options but I was still unable to see any logs)

Severity Mapping

Critical: Critical

Warning: Warning

Informational: Informational

datadevops · ‎01-28-2024

Hi there!

Seems like your test logs are working, but real-world ones aren't showing up. Here's what might be happening:

Filter Frenzy: Double-check your Splunk filters. You might have one accidentally hiding those juicy UPS logs.
Severity Sleight of Hand: Splunk might not be ingesting lower severity logs by default. Try adjusting your search filters or source type settings to include them.
Port Mismatch: Make sure your Splunk server is listening on port 514 for UDP traffic. A quick netstat check can confirm this.

If none of these work, give your Splunk logs a good scan for error messages related to UPS data. They might offer more specific clues.

~ If the reply helps, a Karma upvote would be appreciated

Not getting normal logs from UPS, but test logs work at any severity level

syslog

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users