Getting Data In

Why did Splunk stop collecting syslog logs?

lorder
Explorer

I installed Splunk last week, and I'm only collecting data (syslog) from one source.

Data stopped being collected this morning. I use Wireshark on the source server and Splunk, and I see that syslog are coming and going, but I don't see logs in Splunk. Latest event 3 hours ago.

License: Trial license group
License expiration Nov 17, 2018 4:04:30 PM

Licensed daily volume 500 MB

Volume used today 121 MB (24.135% of quota)

OS Windows 10 (Microsoft Windows [Version 10.0.16299.15])
SPLUNK Version:7.1.3 Build:51d9cac7b837

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @lorder,

Could you give us some more context on this issue? For instance, as @dauren_akilbekov said, have you documented any errors that you could post? The more information you provide the community, the better chance you have of getting your question answered.

Thanks for posting!

JDukeSplunk
Builder

You should read or watch this excellent session from .conf 2017 - it was a very well attended session. This will give you a best practice syslog server to collect the logs:

http://conf.splunk.com/sessions/2017-sessions.html#search=critical%20syslog%20tricks&
https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about...

dauren_akilbeko
Communicator

Are you seeing errors at index=_internal source splunkd?

lorder
Explorer

I use "index=_internal log_level=ERROR" and last eerors is:

09-20-2018 16:40:21.585 +0500 ERROR KVStoreBulletinBoardManager - KV Store changed status to failed. KVStore process terminated.

09-20-2018 16:40:21.584 +0500 ERROR KVStoreBulletinBoardManager - KV Store process terminated abnormally (exit code 14, status exited with code 14). See mongod.log and splunkd.log for details.

09-20-2018 16:40:21.568 +0500 ERROR MongodRunner - mongod exited abnormally (exit code 14, status: exited with code 14) - look at mongod.log to investigate.

2018-09-20 11:53:28,490 ERROR [5ba0dbbf9d126fbfbf240] root:130 - ENGINE: Handler for console events already off.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...