Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not receiving logs from Syslog Server

damode
Motivator
‎02-26-2018 04:05 PM

I have set up a universal forwarder to read logs from kiwi syslog server.
Universal Forwarder is set to forward logs to the Indexer via Heavy Forwarder.
I have also set up the Heavy Forwarder as deployment server.
I have deployed the following inputs.conf to the U.F by deploying an app from the deployment server.

[monitor://C:\Program Files (x86)\Syslogd\Logs\x.x.x.x\log*.txt]
index = main
sourcetype = syslog
disabled = false

With all the above settings, I still cant see any logs on the Indexer.
I have confirmed following things already,

  1. U.F has the right privilege to read logs from syslog's log folder.
  2. network connection established between Syslog Server and H.F on H.F's port 9997 and 8089.
  3. receiving port 9997 on Indexer enabled.

splunk btool inputs list monitor command also does not work on the U.F
Please help me troubleshoot this.
Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damode
Motivator
‎02-26-2018 05:16 PM

There are only INFO messages.

Strangely, after I restarted the universal forwarder and re-deployed the app, I was able to see logs on the Indexer now. However, I am still unsure where was the fault.

Does restarting the U.F or splunk reload deploy-server both required to apply config settings on U.F ?

Also, in Forwarder Management, it shows me all info like apps, server classes and deployment client, however, in Settings-->Server Settings--> Deployment Client, it shows nothing at all. Any reason why ?

View solution in original post

Reply
Solved! Jump to solution
Solution

damode
Motivator
‎02-26-2018 05:16 PM

There are only INFO messages.

Strangely, after I restarted the universal forwarder and re-deployed the app, I was able to see logs on the Indexer now. However, I am still unsure where was the fault.

Does restarting the U.F or splunk reload deploy-server both required to apply config settings on U.F ?

Also, in Forwarder Management, it shows me all info like apps, server classes and deployment client, however, in Settings-->Server Settings--> Deployment Client, it shows nothing at all. Any reason why ?

Reply
Solved! Jump to solution

stefanhutchison
Explorer
‎02-26-2018 04:37 PM

Any messages in the splunkd.log file on the universal forwarder? It would be in Splunk_home\var\log\splunk\splunkd.log

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...