Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk not receiving logs on heavy forwarder

splunkkk
Loves-to-Learn
‎03-24-2025 11:17 PM

Hi. Recently I notice that the splunk heavy forwarder has stop receiving logs from network devices.  We are using TLS over syslog, but the cert is not expired yet. The rsyslog.conf file should be nothing wrong since previously it can receive logs. Can I know why is it happening?

Labels (1)
Labels
0 Karma
Reply

splunkkk
Loves-to-Learn
‎03-30-2025 08:33 PM

Hi all,

I tried restarting the Splunk service on heavy forwarder and logs are coming in again.

Can I know why does Splunk stop receiving logs suddenly and we need to restart the service for it to work again?

Thanks

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-02-2025 02:29 PM

If i recall correctly there are some versions which could have some issues with ingesting data (at least in UF side, but you have HF). 

The best option to get more information is look you _internal logs and try to get information what has happened when (and just before) this issue has arise. As @livehybrid said try 1st figure out is the issue has been on receive or send side or even an indexers?

https://community.splunk.com/t5/Getting-Data-In/Splunk-Indexer-Parsing-Queue-Blocking/td-p/583312 one old post which could related to this issue or at least it contains some useful links.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-25-2025 12:16 AM

Hi @splunkkk 

Are you still getting other logs / _internal logs from the HF? This will help determine if the error is with sending or receiving data.

Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for any errors relating to SSL/TLS/input/output/queues

Use netcat to check the expected port is open (nc -vz -w1 localhost <port>) - This assume netcat is installed and as "nc" binary.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-24-2025 11:44 PM

@splunkkk 

  • Ensure no firewall rules or network policies have changed recently that might block traffic (e.g., port 514 or your custom syslog port).
  • Ensure rsyslog is running on the HF (systemctl status rsyslog or service rsyslog status).
  • Check the disk space on the Syslog forwarder. command:- df -h

  • Verify whether any queues are blocked on the heavy forwarder by running:  tail -n 100 /opt/splunk/var/log/splunk/metrics.log | grep -i "blocked=true"

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

splunkkk
Loves-to-Learn
‎03-24-2025 11:51 PM

Hi @kiran_panchavat 

Firewall rules are in place, nobody has make changes to it.

Rsyslog is running on HF and disk space should be enough as it can still receive some network devices log on the same HF

Any idea what else I can check? Thanks

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-24-2025 11:51 PM

@splunkkk 

Firstly, could you kindly confirm whether your Syslog forwarder is receiving the network logs?
You can verify this by running a tcpdump capture.

To check for devices from which logs are not being received, please use the following command:

sudo tcpdump -i <interface> host <device_IP> and port <port_number>

Replace <interface>, <device_IP>, and <port_number> with the appropriate values for your environment.

Find Interface Names

tcpdump -D

kiran_panchavat_0-1742885682813.png

To capture traffic for a specific host (e.g., 192.168.1.50):

sudo tcpdump -i ens160 host 192.168.1.50 ( change your interface here )

To capture traffic on a specific port (e.g., 514):

sudo tcpdump -i ens160 port 515

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...