Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Not receiving logs from Syslog Server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have set up a universal forwarder to read logs from kiwi syslog server.
Universal Forwarder is set to forward logs to the Indexer via Heavy Forwarder.
I have also set up the Heavy Forwarder as deployment server.
I have deployed the following inputs.conf to the U.F by deploying an app from the deployment server.
[monitor://C:\Program Files (x86)\Syslogd\Logs\x.x.x.x\log*.txt]
index = main
sourcetype = syslog
disabled = false
With all the above settings, I still cant see any logs on the Indexer.
I have confirmed following things already,
- U.F has the right privilege to read logs from syslog's log folder.
- network connection established between Syslog Server and H.F on H.F's port 9997 and 8089.
- receiving port 9997 on Indexer enabled.
splunk btool inputs list monitor command also does not work on the U.F
Please help me troubleshoot this.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are only INFO messages.
Strangely, after I restarted the universal forwarder and re-deployed the app, I was able to see logs on the Indexer now. However, I am still unsure where was the fault.
Does restarting the U.F or splunk reload deploy-server both required to apply config settings on U.F ?
Also, in Forwarder Management, it shows me all info like apps, server classes and deployment client, however, in Settings-->Server Settings--> Deployment Client, it shows nothing at all. Any reason why ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are only INFO messages.
Strangely, after I restarted the universal forwarder and re-deployed the app, I was able to see logs on the Indexer now. However, I am still unsure where was the fault.
Does restarting the U.F or splunk reload deploy-server both required to apply config settings on U.F ?
Also, in Forwarder Management, it shows me all info like apps, server classes and deployment client, however, in Settings-->Server Settings--> Deployment Client, it shows nothing at all. Any reason why ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any messages in the splunkd.log file on the universal forwarder? It would be in Splunk_home\var\log\splunk\splunkd.log
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
