We have set up a universal forwarder and it worked quite nice until a certain date. Since then, no more entries are forwarded to our Splunk server. The problem occurred after we updated our OS to the latest version (Ubuntu 16.04.2 LTS). So we initially suspected some permissions in the directory the log file is located, but updating them didn't work.
The Splunk server itself still receives data from other forwarder instances without any problems, so the problem most likely is located on the server where the forwarder is running, especially since we can put the time it stopped working roughly around the same time we updated the OS.
With `list monitor` I can see the file we're trying to forward (but we didn't change anything here, so it should be there). But no info if it's being processed at all.
Any ideas where to start? We already checked the splunkd.log, but didn't find anything that helped us. But we also had no real idea what to look for. We just checked for errors that would contain the name of our log file or the IP of the server we're forwarding to.
↧