Hello ,
In our splunk environment ,blueCoat logs are getting into Forwarder, but they aren't getting into the indexer from the forwarder . can anyone help us in troubleshooting or to find where the Problem is .Thanks in advance .
Can you post additional information to help clarify your issue?
Thank you.
some times when I try to find the "bluecoat_syslogs" through the search head , i'm getting the logs sometimes and sometimes it gives 'no results found' . May i know why this is happening ,how to overcome the issue.
Hello Adam ,
We are using Heavy forwarder . the logs are being sent to syslog and then forwarded to heavy forwarder,from the forwarder the logs are unable to getting into Indexer.
It was yesterday morning around 5.45 am is the last updated and up to now we are unable to see any log being getting generated
Other event logs are being properly forwarded and indexed .
I have restarted the forwarder service and still unable to find the logs being updated .
-Thanks
Are the BlueCoat logs still being forwarded to the syslog server? Have you noticed errors in any of the log files (splunkd.log, etc.)?
Thank you.
hello Adam ,
This is the stanza we tried to execute and check for the logs
"[monitor:///opt/syslogs/proxy/...]
whitelist = .log$
sourcetype = bluecoat_syslog
index = net_proxy
host_segment = 4"
We have verified the splunkd.log , we cannot see any error in that .the data is getting injected but it is intermediate .
Is there any other way to fix it Permanently,