Hi All,
I have UF installed in my windows machine and its has IIS logs and App logs. In last few days, my forwarder is not sending App logs to indexers. I have other machine which is having same log files, but that is sending logs to indexer. So, i have compared the permissions of files and folder, but i'm not seeing any difference between both systems. Can you please suggest me how to fix it.
Thanks,
Arunkumar
Hi arunkns,
at first check if you're receiving logs fron that server
index=_internal host=your_server
If yes, there's an ingestion problem, otherwise there's a connection problem.
Ciao.
Giuseppe
i'm able to see the host in _internal and the server has multiple logs like IIS and Apps. IIS logs are working fine, only apps logs are not coming into splunk
Hi arunkns,
Could you share the input.conf stanza of app logs and a sample of your app logs?
Ciao.
Giuseppe
Hi,
Have you checked $SPLUNK_HOME\var\log\splunk\splunkd.log
for any Warning or Error message on UF which is not sending data ?
You can run $SPLUNK_HOME\bin\splunk.exe list inputstatus
on UF & you can check which file/directory UF is monitoring.
Thanks Harsmarvania57, I don't see any error in splunkd.log, but when I ran the command in windows (where UF is installed) and got below error.
AES-GCM Decryption failed!
Decryption operation failed: AES-GCM Decryption failed!
error:00000000:lib(0):func(0):reason(0)
AES-GCM Decryption failed!
Decryption operation failed: AES-GCM Decryption failed!
error:00000000:lib(0):func(0):reason(0)
AES-GCM Decryption failed!
Decryption operation failed: AES-GCM Decryption failed!