Getting Data In

Why is Input not working?

michaelnorup
Communicator

Hey Guys.

I have a input that is refusing to work.


The input that doesnt work is this fortigate one:

michaelnorup_0-1650968547242.png
This one on the same syslog server works just fine:

michaelnorup_1-1650968634530.png


Check the app on the syslog server and both inputs look like the above, so they have been pushed fine from the deployment server.

Nothing called fortigate is in splunk:

michaelnorup_2-1650968715793.png

 

Recent Log files ARE populated and present on the syslogserver

michaelnorup_3-1650968811603.png

If i search for the host from the fortigate input the following shows up, which to me looks like it should be forwarding logs?

michaelnorup_4-1650969077872.png

 



Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

let me understand:

in /var/log/syslogd/10.200.252.231/ you have files with name *.log but you cannot read them. is it correct?

At first check if you're receiving Splunk internal logs from that host

index=_internal host=FW-XXX-ACT

and if the hostname is correct.

Then, check if the user you're using to run Splunk on that system (I suppose a Universal Forwarder) has the grants to read those files and folders.

then check if the folder is correct: you can check this with a simple linux command

ls -la /var/log/syslogd/10.200.252.231/*.log

then I hint to not use "-" in names, it's better "_" becasuse (probably not in this case) it isn't read in a correct way.

Ciao.

Giuseppe

michaelnorup
Communicator

Hey Giuseppe, thanks for stopping in

I am NOT recieving logs from the host, which is the entire problem right? The host however can be both the syslog server(which i am recieving plenty of logs from, just not this particular input), and the FW-XXX-FG in from the inputs.conf, which isnt working

Splunk forwarder is running as root, so should have access to read all

On the deploymentserver i can even see the folder and sourcetype under settings -> data inputs -> file and directories

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

let me understand:

  • you're receiving Splunk internal logs from that host,
  • you're receiving other logs from that host,
  • you're not receiving logs from the incriminated input,
  • the running Splunk user is root so there isn't any grant problem.

when you say that the user is root, are you speking on the target server or on Deployment Server?

did you checked if the folder is correct (using the ls command) not on deployment server, but on the target server?

Ciao.

Giuseppe

michaelnorup
Communicator

I am recieving internal logs from the syslog server.

I am recieving other logs( for example the cisco logs) from the syslog server

I am NOT recieving logs from the fortigate input from the syslog server (Deployed with the same app as the cisco input)

The user running splunk is root on the syslog server

michaelnorup_1-1650971989136.png

 

I am ecen seeing both inputs correctly here on the deployment server

michaelnorup_2-1650972129150.png



Am i reading these entires correct in that it IS in fact transmitting data from the fortigate input?

michaelnorup_0-1650972506621.png



Can it be because the logs are so many and big that it simply hasnt caught up yet?

0 Karma

michaelnorup
Communicator

It randomly works now. I guess it was just super slow at catching up

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

probably you have to read too many files!

You cannot do many things in ths case, my hint is to analyze the delay between timestamp and indextime and consider it in alerts scheduling.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...