Logs are not forwarded to splunk from splunk forwa...

muqeeiz · ‎09-21-2023

Hi,

my logs do not appear in the index and in splunkd.log i get the following error

09-21-2023 16:36:40.693 +0200 INFO  AutoLoadBalancedConnectionStrategy [7698 TcpOutEloop] - Connected to idx=xx.xx.xx.xx:16313, pset=0, reuse=0. using ACK.
09-21-2023 16:36:48.003 +0200 INFO  TailReader [7705 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'
09-21-2023 16:37:10.613 +0200 INFO  AutoLoadBalancedConnectionStrategy [7698 TcpOutEloop] - Connected to idx=xx.xx.xx.xx:16313, pset=0, reuse=0. using ACK.
09-21-2023 16:37:18.002 +0200 INFO  TailReader [7705 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'

my inputs.conf has only the following:

[default]
host = myhostname
index = vcenter-index-name
[monitor:///var/log/remotelogs/vcenter-rep/analytics.log]
sourcetype =  "vcenter"
queueSize = 50MB
crcSalt = <SOURCE>
disabled = false

I would mention that I have the same configuration on a different server and logs end out in splunk without a problem and this error does not appear on the other servers:

09-21-2023 16:37:18.002 +0200 INFO  TailReader [7705 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'

gcusello · ‎09-21-2023

Hi @muqeeiz,

sorry, but I don't see any error in the messages you shared!

anyway, check the permissions on the files to read.

Ciao.

Giuseppe

Logs are not forwarded to splunk from splunk forwarder

indexer

Linux

syslog

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?