Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

syslog forwarding data with HA

surekhasplunk
Communicator
‎07-04-2020 06:45 PM

I have two syslog servers syslog1 and syslog2

For all of the sources i am getting the data into both the syslog servers but indexing data from 1 syslog.

But for one of the sources i a receiving data only on one syslog server that is syslog1 and not on syslog2.

But everything else right now is getting forwarder from syslog2. 

Now i dont know how and where to start trouble shooting from 

Please help. 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2020 01:43 AM

Hi @surekhasplunk ,

you spoke of HA, does this mean that you have also a Load Balancer in front of the two syslog servers?

If not, you don't have HA, so think to add this laier to your architecture.

If yes it could be possible that it's the LB to distribute traffic in only one syslog server.

You can test this turning off one of them and verifying that the other continue to receive and forward all the syslogs.

Then how do you verified that only one server is sending its syslogs to the Indexer?

Ciao.

Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎07-05-2020 07:13 PM

Hi @gcusello ,

currently i am receiving data getting indexed from syslog1 server for 2 different sources/indexes.

But i am receiving data on syslog2 server for 1 source/index. 

and yes load balancer is there balancing in terms of volume. 

while we are investigating why 2nd source/index is not received on syslog2 server i need your help in understanding why in this scenario syslog1's data is not getting indexed for both source types. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2020 10:33 PM

Hi @surekhasplunk ,

as i said, probably is the Load Balancer that's sending logs to only one syslog server for one of the sources, check if your indexers is receiving all the logs and what happens if you turn off one of the syslog servers.

Ciao.

Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎07-06-2020 02:37 AM

Hi ,

In the indexer i am seeing below info without anything getting indexed. 

07-06-2020 10:11:54.836 +0100 INFO CMSlave - event=setBucketSummaries bid=fgt~XXX~XXXXX update=fgt~XXX~XXXXXX
07-06-2020 10:11:54.836 +0100 INFO CMRepJob - running job=CMUpdateSummaries_AndRegisterSummariesSuccess updates=fgt~XXX~XXXXX

Not sure what this means

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2020 02:40 AM

Hi @surekhasplunk ,

in normal working, are you seeing all the logs or not?

did you tried to turn off one of the syslogs servers?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...