About acavenago

acavenago · ‎09-18-2024

Hello, we configured rsyslog and it is now receiving logs from appliances, saves them locally to disk and send the copies to the remote destinations on client side. But we have now problems with indexing, as far as data is not being received anymore from the HFs. I think the UFs are undersized to perform all of these activities. Is there a way to check if we have a performance problem now? Thank you, Andrea

acavenago · ‎09-16-2024

Thank you @PickleRick , we'll try and use rsyslog instead of Splunk to forward the logs and let you know if we solved the issue. Can you please tell me what do you think about the duplicate events in the index? What should I investigate? Thank you, Andrea

acavenago · ‎09-12-2024

Good evening everyone, we have a problem in a Splunk cluster, composed of 3 indexers, 1 CM, 1 SH, 1 Deployer, 3 HF, 3 UF. The UFs receive logs from different Fortinet sources via syslog, and write them to a specific path via rsyslog. Splunk_TA_fortinet_fortigate is installed on the forwarders. These logs must be saved to a specific index in Splunk, and a copy must be sent to two distinct destinations (third-party devices), in two different formats (customer needs). Since the formats are different (one of the two contains TIMESTAMP and HOSTNAME, the other does not), via rsyslog they are saved to two distinct paths applying two different templates. So far so good. The issues we have encountered are: - Some events are indexed twice in Splunk - Events sent to the customer do not always have a format that complies with the required ones For example, in one of the two cases the required format is the following: <PRI> date=2024-09-12 time=14:15:34 devname="device_name" ... But looking at the sent packets via tcpdump, some are correct, others are in the format <PRI> <IP_address> date=2024-09-12 time=14:15:34 devname="device_name" ... and more in the format <PRI> <timestamp> <IP_address> date=2024-09-12 time=14:15:34 devname="device_name" ... The outputs.conf file is as follow: [tcpout] defaultGroup = default-autolb-group [tcpout-server://indexer_1:9997] [tcpout-server://indexer_2:9997] [tcpout-server://indexer_3:9997] [tcpout:default-autolb-group] server = indexer_1:9997,indexer_2:9997,indexer_3:9997 disabled = false [syslog] [syslog:syslogGroup1] disabled = false server = destination_IP_1:514 type = udp syslogSourceType = fortigate [syslog:syslogGroup2] disabled = false server = destination_IP_2:514 type = udp syslogSourceType = fortigate priority = NO_PRI This is the props.conf: [fgt_log] TRANSFORMS-routing = syslogRouting [fortigate_traffic] TRANSFORMS-routing = syslogRouting [fortigate_event] TRANSFORMS-routing = syslogRouting and this is the trasforms.conf: [syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup1,syslogGroup2 Any ideas? Thank you, Andrea

acavenago · ‎02-26-2024

Hi @kiran_panchavat , thank you for all the information. I was already able to list HF info in MC/Forwarders menu. What I need is to have HF also listed in MC/Resource Usage, where right now I have only Cluster Manager and Indexers nodes. Kind regards, Andrea

acavenago · ‎02-20-2024

Hello, I have a multi-site cluster at version 9.0.1, with several Indexers, SHs, and HF/UFs. The Monitoring Console is configured on the Cluster Manager, and "Forwarder Monitoring" is enabled, which allows me to see the status of the forwarders. What is missing is the possibility to select HF in the Resource Usage section of the Monitoring Console. They are not available. How can I get them to appear in Resource Usage in the Monitoring Console? Thank you, Andrea

acavenago · ‎12-01-2023

Hi isoutamo, sorry for the dumb question, but I have to put only MN in maintenance mode or also the other nodes (except SH)? Do I have also to stop Splunk manually or it is automatically stopped during the OS shutdown? Thank you, Andrea

acavenago · ‎12-01-2023

Thank you @richgalloway Is there a way to avoid losing alerts generated during the smtp server offline period? Thank you, Andrea

acavenago · ‎12-01-2023

Hello, we need to patch the OS of our Splunk Enterprise cluster distributed on 2 sites, A & B. We will start the activity on site A, which contains one Deployer Server, two SH, one MN, three Indexer and three HF. Site B contains one SH, three Indexer and one HF and will be updated later. Considering that the patching of OS will require a restart of the nodes, can you please tell me Splunk Best Practice to restart the Splunk nodes? I'd start with the SH nodes then the Indexer nodes, Deployer, MN and HF. All one by one. Do I have to enable maintenance mode on each node, restart the node and disable maintenance mode, or is it sufficient to stop Splunk on each node and restart the machine? Thank you, Andrea

acavenago · ‎12-01-2023

Hello, can you please tell me what happens to email alerts if the smtp used for email delivery is temporary offline? Is there a buffer where alerts are saved and then are sent once the smtp server becomes available again? Is there a link to Splunk documentation about that? Thank you, Andrea

Posts	9
Solutions	0
Karma Given	2
Karma Received	0
Member Since	‎08-31-2023

Online Status	Offline
Date Last Visited	‎09-20-2024 01:08 PM

Forwarding syslog to third-party software

How to get Resource Usage information of Heavy For...

Splunk Nodes Restart

Email Alerts

Re: Forwarding syslog to third-party software

Re: Forwarding syslog to third-party software

Forwarding syslog to third-party software

Re: How to get Resource Usage information of Heavy...

How to get Resource Usage information of Heavy For...

Re: Splunk Nodes Restart

Re: Email Alerts

Splunk Nodes Restart

Email Alerts