I have firewall data coming to my syslog server.The syslog file gets rotated every 24 hours. Ive installed forwarder on the syslog server. I have a monitoring stanza in my Fortinet FortiGate App for Splunk(TA) .
[monitor:///bbbb/aaaaa/xxxxxxx/syslog.log]
index = fortinet
sourcetype = fgt_log
Earlier the logs used to come, now the data has stopped coming. It says:
07-10-2018 14:10:39.143 +0530 WARN TailReader - Enqueuing a very large file=/bbbb/aaaaa/xxxxxxx/syslog.log in the batch reader, with bytes_to_read=2626817453, reading of other large files could be delayed
07-10-2018 04:56:18.424 +0530 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Jul 10 04:56:02 2018). Context: source::/bbbb/aaaaa/xxxxxxx/syslog.log|host::XXXX|fgt_log|2414.
tried reinstalling the forwarder, thruput = 0, initcrclength = 1024 but no luck!
Splunk version - 6.5.7
Fortinet FortiGate App for Splunk- 1.4
Any suggestions?
Hi @ vinod94 ,
can you please check your props.conf file.
Thank you!