Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

syslog forwarding data with HA

surekhasplunk
Communicator
‎07-04-2020 06:45 PM

I have two syslog servers syslog1 and syslog2

For all of the sources i am getting the data into both the syslog servers but indexing data from 1 syslog.

But for one of the sources i a receiving data only on one syslog server that is syslog1 and not on syslog2.

But everything else right now is getting forwarder from syslog2. 

Now i dont know how and where to start trouble shooting from 

Please help. 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2020 01:43 AM

Hi @surekhasplunk ,

you spoke of HA, does this mean that you have also a Load Balancer in front of the two syslog servers?

If not, you don't have HA, so think to add this laier to your architecture.

If yes it could be possible that it's the LB to distribute traffic in only one syslog server.

You can test this turning off one of them and verifying that the other continue to receive and forward all the syslogs.

Then how do you verified that only one server is sending its syslogs to the Indexer?

Ciao.

Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎07-05-2020 07:13 PM

Hi @gcusello ,

currently i am receiving data getting indexed from syslog1 server for 2 different sources/indexes.

But i am receiving data on syslog2 server for 1 source/index. 

and yes load balancer is there balancing in terms of volume. 

while we are investigating why 2nd source/index is not received on syslog2 server i need your help in understanding why in this scenario syslog1's data is not getting indexed for both source types. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2020 10:33 PM

Hi @surekhasplunk ,

as i said, probably is the Load Balancer that's sending logs to only one syslog server for one of the sources, check if your indexers is receiving all the logs and what happens if you turn off one of the syslog servers.

Ciao.

Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎07-06-2020 02:37 AM

Hi ,

In the indexer i am seeing below info without anything getting indexed. 

07-06-2020 10:11:54.836 +0100 INFO CMSlave - event=setBucketSummaries bid=fgt~XXX~XXXXX update=fgt~XXX~XXXXXX
07-06-2020 10:11:54.836 +0100 INFO CMRepJob - running job=CMUpdateSummaries_AndRegisterSummariesSuccess updates=fgt~XXX~XXXXX

Not sure what this means

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2020 02:40 AM

Hi @surekhasplunk ,

in normal working, are you seeing all the logs or not?

did you tried to turn off one of the syslogs servers?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top