Re: How to check whether splunk is receiving logs ...

alexspunkshell · ‎07-16-2018

Hi Guys,
Syslog is sent to forwarder IP through TCP 514 port. I am unable to receive those syslog in forwarder or indexer.
How to check whether syslog is received in forwarder ?
How to receive those syslog in indexer ?

FrankVl · ‎07-17-2018

Checking for incoming traffic on the forwarder can be done with tools like tcpdump (wireshark on windows).

For example (replace the IP address with the one you're looking for): tcpdump -A -nn -i any src host 10.0.0.1 and dst port 514

If traffic is showing in tcpdump, the issue is on the forwarder server. Either local firewall is blocking, or splunk is not actually listening. Or the issue is further down the pipeline, with data not making it to the indexer, or being processed badly (wrong timestamping or so) which prevents you from seeing it in search results.

If you have confirmation that the data is arriving at the forwarder, feel free to share your splunk configuration to receive further feedback.

axcastillo · ‎08-05-2020

@FrankVl That tcpdump command is golden for troubleshooting any tcpin input. I just used it to show that Splunk was indeed receiving the data but a bad timestamp was causing the "lag". Saved this command for future troubleshooting sessions. Thanks for sharing it with us.

How to check whether splunk is receiving logs from particular IP

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life