Monitoring Splunk

Not Receiving Logs from Syslog Server

kpcool
New Member

I have set up universal forwarder to collect the all syslog data to splunk. All the settings are in place

1. Connectivity between the servers (syslog UF to Splunk) is ok

2. Required ports are open

3. All the configuration on syslog server and deployment server is ok.

4. Even after making the changes in inputs under deployment server app, i used to restart the app by GUI.

5. On syslog i getting continuous logs.

However all the settings are in place, im not able to receive the continuous logs. Sometimes i receive the logs to splunk. but sometimes the logs are not getting received.

Labels (1)
0 Karma

kpcool
New Member

I'm collecting the network logs to syslog server, where I have installed the UF. Through UF I'm monitoring those log files. I have deployment server as well.
input.conf is correct, as sometimes logs are coming sometimes not. 

 

Is there any restriction of UF that it cant read large size files?

we are not using HF in our environment.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kpcool,

so, you have a ng-syslogs server that writes syslogs in files that are read by a UF and you deploy configrations (TAs) to the UF using a Deployment Server.

I don't know particular limitations to files to read by UF, are you sure that:

  • the TA containing your inputs.conf is correctly deployed to the UF (check this in $SPLUNK/etc/apps)?
  • that Splunk is restarted on UF after upgrade?
  • that the path in the inputs.conf is correct?

Could you share the path of the folder containing the files to read and the inputs.conf?

Ciao.

Giuseppe

0 Karma

kpcool
New Member
Hello @gcusello, The points you mentioned are all correct. Also im getting the logs sometimes and sometimes its not. Here is the input from deployment server, [monitor:///data/syslog/xyz/] index = pqr host_segment = 3 disabled = 0 sourcetype = abc Note: For data privacy, i have used the alphabetical words, file path us under monitor segment in inputs
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kpcool,

if sometimes you take logs and sometimes not, you have a correct input configuration.

Now we have to check why, sometimes not!

Please check if the times that you don't index files, the content of the file is the same of the previous one (also with a different filename), because Splunk by default doesn't index twice a log also if in different files.

If this is your situation, you have to add to your inputs.conf stanza:

crcSalt = <SOURCE>

In this way splunk index all the files with different filename.

ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kpcool,

let me understand:

  • did you configured an ng-syslog server that writes logs in files and UF reads files,
  • or did you configured your UF to directly take syslogs?

In the first case, check if the files containing syslogs are present and then check if the input.conf stanza reads the correct path.

In the second case, I knew that you cannot use an Universal Forwarder to take syslogs but you need an Heavy Forwarder to do this, infact you can find infos at https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input , searching for this question I found that also Uf can be used to input syslogs, but I never used it, always HF.

Ciao.

Giuseppe

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!