Re: Forwarder stopped forwarding after restart of ...

johnsmithman2 · ‎08-09-2012

I am using the VMware Syslog collector to collect the logs from my ESXi hosts and send them to Splunk with the universal forwarder. Everything was working great until I restarted the server with the Syslog collector and the universal forwarder today. The logs are no longer being forwarded or Splunk is not indexing the received messages, what could cause this?

I know it is not a problem with the VMware Syslog collector because the service is running fine and the logs are being updated from the ESXi hosts.

Any ideas on what causes this after a restart?

idsiano · ‎03-18-2015

In this thread it was explained that is a VMWare issue

kreszan · ‎09-19-2014

I have similar issue @ 6.0. Any resolution to this ?

mrflibbleuk · ‎11-05-2012

Did you get any resolution to this one? I have had a similar issue, when I restarted the main Splunk server the Heavy forwarders seem to be unable to communicate to the server. Looking at the forwarder event logs I am getting an 'eventType=connect_fail' everytime it attempts to connect.

Sometimes restarting the splunk forwarder makes it psring back into life.

johnsmithman2 · ‎08-09-2012

Yes it is, I should have mentioned that also.

Drainy · ‎08-09-2012

Have you verified that the universal forwarder is also still running?

Forwarder stopped forwarding after restart of server

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!