Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Heavy Forwarders stopped receiving some logs

vnguyen46
Contributor
‎02-13-2020 12:44 PM

Hi,

I have a new HF once accepted logs for about a week, then stopped receiving on almost all logs at a same time.
I compared this HF with the old working one and I don't see rotated logs created on the new HF.

For instance, in log1 directory, I see log1.log and several other copies like log1.log-date1.gz and log1.log-date2.gz and so on, but on the new HF I only see log1.log.

I think not creating rotated logs on the HF could be the issue, but not sure and how to have these rotated logs created.
Anyone can help, I appreciate it.

Thanks,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2020 12:53 PM

Have you verified the new HF is running (splunk status)?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vnguyen46
Contributor
‎02-13-2020 12:59 PM

Hi - yes, it's running. I don't see any .gz files in any directories.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2020 05:01 PM

Heavy Forwarders typically don't use a directory called "log1" so I wonder if you're looking at a syslog directory. If so, make sure the syslog process is running and data sources are still sending to it (no new firewall rule is blocking them, for instance).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vnguyen46
Contributor
‎02-14-2020 04:34 AM

Hi richgalloway - on HF, log stored at: /opt/splunklogs/hostname/hostname.log
I also see some files like hostname.log-timestamp.gz. Are these .gz files created by Splunk and supposed to be there?

Thank you,

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-14-2020 01:44 PM

Usually those are created e.g. some syllogism variant not Splunk. You should figure out which tool is used on your environment to deliver / received those logs. Many times it is syslog, syslog-ng or rsyslog. And on network topology there could be a load balancer before those HF hosts to distribute events to all of those hosts.

And probably there is also some log rotation tools to rotate and zip those logs?

R. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...