Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are Splunk some logs missing from kiwi syslog?

bheptinstall
Engager
‎03-16-2023 06:39 AM

Hello everyone I am running into an issue that may be either Splunk or my Kiwi Syslog server, and I am not really sure and the research I am doing is not helping currently.

We had a network device that was not communicating and sending logs to syslog server but we fixed that and now whenever we view the RAW logs on the server we can see the specific %Port_Security logs that we are trying to have reported directly to splunk.

Whenever I run a search query (that worked before a baseline change) I return 0 results. So what I did was change the way I am trying to retrieve these logs so I run a "sourcetype=syslog" host={switch-name}. The switch pops up and contains a number of logs. However, it seems that the most important log that we want (%Port_Security) does not return as a finding. After, running this search I figured there was maybe a problem with the sourcetype so I ran a search that targets the live syslog data with - source={log location} host={switch-name}. The system pops up again. I did not find the port security report inside this search either. I even added a (%Port_Security) on the back end of it. 

I reached out to our engineers that provided the tool to us to help fix the issue since they are the ones that provide it and do the back end configuration and troubleshooting but they refuse to help. 

Labels (2)
Labels
0 Karma
Reply

lbrhyne
Path Finder
4 weeks ago

Hi @bheptinstall,

Did you ever figure this out or get a reason to what the cause is?

Thanks,

0 Karma
Reply

DanielPi
Moderator
Moderator
4 weeks ago

Hi @lbrhyne,

I’m a Community Moderator in the Splunk Community.

This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...