Currently we have an issue in getting the data into the heavy forwarder. We could see that below stanza is configured in the heavy forwarders, When checked under the path as mentioned in the stanza, we could not see logs getting into the server from the source.
Heavy forwarder stanza:
[monitor:///opt/syslogs/symantec/SymantecServer/...]
whitelist = \.log
index = Symantec
sourcetype = sep
host_segment = 5
Indexer inputs.conf stanza:
[udp://hostname.com:8501]
connection_host = dns
index = Symantec
source = hostname.com:8501
sourcetype = sep
Source where Splunk monitors the logs from the heavy forwarder. Currently there are no logs under this folder:
source="/opt/syslogs/symantec/SymantecServer/hostname/hostname.log"
Splunkd.log from the Universal Forwarder server version 6.2
06-22-2016 01:31:13.857 -0400 ERROR TcpOutputFd - Connection to host=x.x.x.x:9997 failed
06-22-2016 01:31:43.615 -0400 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997
Initially the logs were getting into this heavy forwarder server from the universal forwarder server, but somehow this got broken. Kindly guide us in fixing this issue.
Thanks in advance
↧
How to troubleshoot why we are unable to get data into our heavy forwarder and then to our indexer?
↧