I've a forwarder(v4.1.3) installed on a W2K DC and has been configured to forward Application,System and security logs to our indexer.Everything was ok until I've discovered that the forwarder has actually stopped sending System and Security logs since few months back...The indexer continue to receive Application logs.
I went to check on the forwarder and it prompts that the license has expired!(I was using the forwarder license and in splunkweb it shows the license as forwarder as well).I've tried to re-include the forwarder license and restart splunk but it still prompts as expired.Thinking this may be problem,I upgraded the forwarder to v4.1.5 which is same as the indexer and setup the forwarder license again.
Now I tried to add the Application,System and Security event logs but it doesn't seem to work at all now. I don't receive any events on the indexer after that.
What kind of an input is collecting this data? It could be that your checkpoint has become corrupt and you need to clean remove the problematic channels(App, Security, Event)
Are you seeing any errors in splunkd.log related to the input?
I've installed a forwarder on the DC,configured via splunkweb data inputs to collect App,security,system events.
I've tried removing the channels initially when I first realised the problem,but when I tried adding them back,splunk wasn't able to save it as the channels are not reflected in the local event collectors.I've also tried adding them manually in input.conf but it doesn't work.
So I went ahead to upgrade to v4.1.5 and was able to add them back and the 3 channels are reflected in the local event collectors now.However,it doesn't seem to be indexing any events
Sorry, I am still a bit unclear about which mechanism is being used. You are using local, or remote event log collection?
I've also checked splunkd.log.There isn't seem to be any error.How can I completely remove the channels and add them back again?
You could do this by removing the checkpoint files. By default, they are in
The files are SecurityCheckpoint, ApplicationCheckpoint, and System_Checkpoint. Stop splunk, rename them to .old and move them out of the way, then restart. If the checkpoint is corrupt, this should take care of the problem.
Hi,I've tried your suggestion and have started receiving events already.Although in splunkweb the 3 channels doesn't show,I guess it doesn't matter.Thanks.