Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About pdherndon
pdherndon
New Member
Member since:
09-14-2012
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-14-2012 |
Activity Feed
- Posted Re: Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-06-2012 09:57 AM
- Posted Re: Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-06-2012 09:11 AM
- Posted Re: Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-06-2012 07:39 AM
- Posted Re: Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-06-2012 07:36 AM
- Posted Re: Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-06-2012 07:31 AM
- Posted Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-05-2012 03:22 PM
- Tagged Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-05-2012 03:22 PM
- Tagged Splunk syslog event count too low compared to kiwi syslog server on Windows platform on Getting Data In. 11-05-2012 03:22 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
11-06-2012
09:57 AM
OK, can someone give me a suggestion as to how I should validate the syslog configuration on this Linux server? (Ubuntu 10.04.2 LTS) I've tried looking for docs on this, but wasn't able to get very far.
... View more
11-06-2012
09:11 AM
I admit that I'm a Linux user, not an admin. I run ifconfig and I see eth0 (IP xx.xxx.xxx.3), eth1 (.34), and eth2 (.2). It is eth2's IP that I've configured the APs to use. When I run tcpdump -i eth2 "udp[2:2] = 514", I don't see any input. When I run tcpdump -i eth0 "udp[2:2] = 514", I do see some input. (I did config 2-3 APs to use the .3 syslog address as a test). Is it possible that syslog is not configured appropriately on this Linux server for eth2 to be the correct IP address? I should have seen many hundreds of lines on eth2 while tcpdump ran.
... View more
11-06-2012
07:39 AM
(Part 3)
I have kiwi installed on a much less powerful Windows 7 PC using 1 100Mb interface set up for UDP 514 (like Splunk).
... View more
11-06-2012
07:36 AM
I'll try to respond to your questions/theories in order: (Part 2):
- I have set up only one data input --> syslog on UDP 514. I have five different sites (IP subnets define which sites the events are coming from). I have both Splunk's and kiwi's syslog IPs configured on the access points I'm monitoring. Comparing line-by-line the Splunk server with kiwi and device, Splunk shows far too few events.
I've have verified that both Ethernet interfaces (Gig) on the Linux server and the switch port are running error-free with no drops.
... View more
11-06-2012
07:31 AM
(These comment fields are too short to answer your questions in one response, so I'll try to use two comments to respond:)
I'll try to respond to your questions/theories in order: (Part 1)
Searching over all time still shows event counts that are probably .01% of the events I see from the same source over the same time period in kiwi syslog server.
I don't know how to verify what events are reaching the splunkd process on my Linux server, but I verify what should be logged by Splunk by what I see in the kiwi syslog server and on the devices themselves.
... View more
11-05-2012
03:22 PM
I have configured approx. 100 access points to send syslog events to both Splunk and to a kiwi syslog server I have set up on a Windows 7 PC. (Splunk is installed on a fairly high powered Linux server). When I compare the events logged in Splunk to the events captured in the kiwi server and on the access points themselves, I see a huge difference. I can have over 2100 events from an access point captured in my kiwi server, (verified by looking at the AP itself), while I see 4 events in Splunk.
I have looked at the Manager>Systems Settings>System Logging logging levels, and they are set to INFO, and I looked at the configuration in $SPLUNK_HOME/etc/log.cfg. I see rootCategory=INFO,A1. I have scanned through these questions, but could not find one posted that seemed to help with this.
What else should I look at regarding Splunk's configuration? Even though I see a huge discrepancy between Splunk's syslog events and kiwi's, I still see a great number of events in Splunk's Search window.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
