Troubleshooting

Explore this Page

• Overview
• Logstash Not Receiving Syslog Messages
• Syslog Data Not Visible in Elastic Search
• Syslog Data Does Not Appear in Splunk

Overview

This section provides guidance to help resolve common issues encountered when forwarding SANsymphony syslog messages using Logstash to Elastic Search or Splunk.

Logstash Not Receiving Syslog Messages

Problem: Logstash does not display received syslog messages (even if stdout is enabled).

Possible Causes and Solutions:

• Firewall blocking UDP traffic:
  • Ensure that the firewall on the Logstash server allows incoming UDP traffic on the configured port (default: 514).
• Incorrect Syslog configuration in SANsymphony:  In the DataCore Management Console, go to Server Group > Settings > Syslog Settings, and verify:
  • IP address of the Logstash server is correctly set.
  • UDP port matches the one configured in the Logstash configuration file.
• Logstash configuration errors:
  • Check the Logstash error log file (typically located in the logs directory of the Logstash installation) for any parsing or configuration errors.

Syslog Data Not Visible in Elastic Search

Problem: Log messages are successfully received by Logstash but not indexed in Elastic Search, resulting in missing data on expected dashboards

Possible Causes and Solutions:

• Elastic Search index not properly configured:
  • Make sure ES index is correctly configured so KQL filters are using the correct Elastic Search index. For example, if the Logstash output block specifies index => "syslog_5424", ensure Elastic Search has an index pattern that matches syslog_5424*.
• Mismatch in index name:
  • Verify that the correct index value is specified in the elasticsearch {} output block of the Logstash configuration file.
• Elastic Search index or permission issues:
  • Ensure the credentials used in the Logstash configuration have write access to the specified index in Elastic Search.
• Logstash output errors:
  • Check for delivery failures or data parsing errors that may prevent log entries from being indexed.

Syslog Data Does Not Appear in Splunk

Problem: Syslog messages from SANsymphony are not visible in Splunk’s Search & Reporting interface, and the configured index does not show expected log entries.

In some cases, Splunk may take a short time to index incoming UDP messages. Refresh the view or expand the time range.

Possible Causes and Solutions:

• UDP listener not configured in Splunk:
  • Verify that a UDP listener is configured in Splunk on the correct port (example: 514).
  • Ensure the correct Source Type (example: syslog) and Index (example: datacore) are selected during data input setup.
• Incorrect Splunk output configuration in Logstash:
  • In the Logstash udp {} block, confirm that the correct IP address and UDP port of the Splunk server are configured.
• Logstash output errors:
  • Review the Logstash error log for messages related to Splunk output delivery failures or connection issues.

Learn More

• Using the DataCore Predefined Logstash Configuration File with Logstash
• Enable Syslog Forwarding in DataCore SANsymphony
• DataCore Predefined Logstash Configuration File