Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk not receiving logs on heavy forwarder

splunkkk
Loves-to-Learn
‎03-24-2025 11:17 PM

Hi. Recently I notice that the splunk heavy forwarder has stop receiving logs from network devices.  We are using TLS over syslog, but the cert is not expired yet. The rsyslog.conf file should be nothing wrong since previously it can receive logs. Can I know why is it happening?

Labels (1)
Labels
0 Karma
Reply

splunkkk
Loves-to-Learn
‎03-30-2025 08:33 PM

Hi all,

I tried restarting the Splunk service on heavy forwarder and logs are coming in again.

Can I know why does Splunk stop receiving logs suddenly and we need to restart the service for it to work again?

Thanks

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-02-2025 02:29 PM

If i recall correctly there are some versions which could have some issues with ingesting data (at least in UF side, but you have HF). 

The best option to get more information is look you _internal logs and try to get information what has happened when (and just before) this issue has arise. As @livehybrid said try 1st figure out is the issue has been on receive or send side or even an indexers?

https://community.splunk.com/t5/Getting-Data-In/Splunk-Indexer-Parsing-Queue-Blocking/td-p/583312 one old post which could related to this issue or at least it contains some useful links.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-25-2025 12:16 AM

Hi @splunkkk 

Are you still getting other logs / _internal logs from the HF? This will help determine if the error is with sending or receiving data.

Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for any errors relating to SSL/TLS/input/output/queues

Use netcat to check the expected port is open (nc -vz -w1 localhost <port>) - This assume netcat is installed and as "nc" binary.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

kiran_panchavat
Champion
‎03-24-2025 11:44 PM

@splunkkk 

  • Ensure no firewall rules or network policies have changed recently that might block traffic (e.g., port 514 or your custom syslog port).
  • Ensure rsyslog is running on the HF (systemctl status rsyslog or service rsyslog status).
  • Check the disk space on the Syslog forwarder. command:- df -h

  • Verify whether any queues are blocked on the heavy forwarder by running:  tail -n 100 /opt/splunk/var/log/splunk/metrics.log | grep -i "blocked=true"

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

splunkkk
Loves-to-Learn
‎03-24-2025 11:51 PM

Hi @kiran_panchavat 

Firewall rules are in place, nobody has make changes to it.

Rsyslog is running on HF and disk space should be enough as it can still receive some network devices log on the same HF

Any idea what else I can check? Thanks

0 Karma
Reply

kiran_panchavat
Champion
‎03-24-2025 11:51 PM

@splunkkk 

Firstly, could you kindly confirm whether your Syslog forwarder is receiving the network logs?
You can verify this by running a tcpdump capture.

To check for devices from which logs are not being received, please use the following command:

sudo tcpdump -i <interface> host <device_IP> and port <port_number>

Replace <interface>, <device_IP>, and <port_number> with the appropriate values for your environment.

Find Interface Names

tcpdump -D

kiran_panchavat_0-1742885682813.png

To capture traffic for a specific host (e.g., 192.168.1.50):

sudo tcpdump -i ens160 host 192.168.1.50 ( change your interface here )

To capture traffic on a specific port (e.g., 514):

sudo tcpdump -i ens160 port 515

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...