HI at all I have a very strange thing:
I'm using Splunk 7.0.0 in all systems.
I have two Heavy Forwarders with a Load Balancer Netscaler in front of, that receive syslogs and send them to two Indexers.
There a Cisco ACS that sends syslogs to my HFs and it was running.
Some time ago there was an upgrade of Cisco ACS so from that moment I don't receive more events.
Checking Splunk logs I found that I have in _internal from the HFs the following logs:
11-22-2017 15:24:14.423 +0100 INFO Metrics - group=udpin_connections, xx.xx.xx.xx:514, sourcePort=514, _udp_bps=71.82, _udp_kbps=0.07, _udp_avg_thruput=0.08, _udp_kprocessed=27.53, _udp_eps=0.10
.
11-22-2017 15:24:14.420 +0100 INFO Metrics - group=per_host_thruput, series="xx.xx.xx.xx", kbps=0.0650822688668127, eps=0.06451524038685016, kb=2.017578125, ev=2, avg_age=31536011.5, max_age=31536023
Where xx.xx.xx.xx is the HFs IP address.
And this means that HFs are receiving logs, but they aren't indexed.
Anyone can help me to understand what's happening?
Bye.
Giuseppe
↧