Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check whether splunk is receiving logs from particular IP

splunklearner
Communicator
‎11-09-2024 07:18 AM

Hi Guys,

Syslog is sent to forwarder IP through TCP 9523 port. I am unable to receive those syslog in forwarder or indexer.

How to check whether syslog is received in forwarder ?

How to receive those syslog in indexer?

Getting those logs from network device.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2024 10:28 AM
@splunklearner wrote:

I am unable to receive those syslog in forwarder or indexer.

Why not?  What errors do you see?

Sending syslog directly to a Splunk process is not good practice.  Syslog events should be sent to a dedicated syslog server (like rsyslog or syslog-ng) and saved to disk.  Then have a Splunk Universal Forwarder monitor those disk files.

---
If this reply helps you, Karma would be appreciated.
Reply

splunklearner
Communicator
‎11-09-2024 11:39 AM

Hi @richgalloway ,

Yes we have a dedicated syslog ng server and UF in place to forward it to indexer. 

But we are not receiving logs.. how can I troubleshoot this issue? To check whether issue is from splunk end or requestor end?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2024 04:57 PM

Check the whole path from sender to receiver to Splunk.  Verify network connectivity at each step.

Verify the syslog server is writing data to disk.  Confirm Splunk is monitoring those files and has read access to them.  Check splunkd.log to see if there are messages about the files.

Check the indexer for internal log files from the forwarder.  If they are not present then you have a connectivity problem between the forwarder and indexer (at least).

When searching for data, use a wide time window that includes the future (earliest=-2d latest=+2d) in case the events are not onboarded properly.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...