Getting Data In

Syslog data source and Splunk 5.0.3 on Windows 2008

mas
Path Finder

After the upgrade to Splunk 5.0.3, my syslog data sources suddenly stopped to work. Using MS Network Monitor and Wireshark, I am able to see syslog packets reaching the server. Upgrading to 5.0.4 did not resolve the issue.

Splunk is installed on a Windows 2008 R2 machine.

Anyone experiencing the same problem?

Tags (2)
0 Karma
1 Solution

mas
Path Finder

I found the problem. The same day of the update, a configuration change had been made in props.conf (under ./etc/system/local). A stanza had been created to match data sent by three specific hosts (just say: serverA, serverB and serverC). There was a typo in this stanza name! It had been defined as:

[host::serverA|host::serverB||host::serverC]

instead of

[host::serverA|host::serverB|host::serverC]

The double "||" caused a "match-all" situation. In addition, this stanza has a conditional redirect of all the events, with the exception of the required ones, to the null queue. All the syslog events, as a result, were discarded!

View solution in original post

0 Karma

mas
Path Finder

I found the problem. The same day of the update, a configuration change had been made in props.conf (under ./etc/system/local). A stanza had been created to match data sent by three specific hosts (just say: serverA, serverB and serverC). There was a typo in this stanza name! It had been defined as:

[host::serverA|host::serverB||host::serverC]

instead of

[host::serverA|host::serverB|host::serverC]

The double "||" caused a "match-all" situation. In addition, this stanza has a conditional redirect of all the events, with the exception of the required ones, to the null queue. All the syslog events, as a result, were discarded!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Can you verify your inputs? Did you make changes in a default/inputs.conf file? They may have been overwritten. Does the input appear in the manager?

0 Karma

mas
Path Finder

Hi alacercogitatus, thank you for your answer. I never change conf files in "default" folders. The input appears in the manager. In addition, I tried to install a syslog server (temporary disabling the input source) and syslog messages were traced correctly.

It seems that Splunk is refusing to collect data for this data source.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...