Re: Splunk Connect for Syslog

matcher123 · ‎04-25-2024

I have a sc4s deployment running in an ec2 instance. I followed the documentation provided here https://splunk.github.io/splunk-connect-for-syslog/main/.
I have a c# application running inside docker of the same host where sc4s is running. My application is able to send syslog data on port 514 and the same is visible in Splunk Cloud dashboard under sourcetype as sc4s:fallback

I am running the same application in my windows local machine trying to send data to the same port and linux machine ip. Data is sent to the host machine because I can see it in the TCP dump but sc4s is not ingesting the data into the Splunk Cloud.

What should be my next step in debugging. I have tried everything from my side but still not able to figure out what the issue is my sc4s deployment

marnall · ‎04-28-2024

There is a troubleshooting guide here: https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/

The guide describes how to to write the rawmsg to a file for both the working server and your non-working windows machine, to see if the messages are received the same. Once you confirm that the logs are being received the same, you can move to seeing why Splunk is not then indexing them.

Splunk Connect for Syslog

Linux

syslog

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?