Hi,
I' m working on a solution that consist of Cribl sending logs to an Onprem syslog server . Is there a way to confirm whether Cribl has established communication with the destination endpoint ( like a ping feature) . The monitoring section in Cribl is showing data is flowing but we can't find anything on the syslog server .
Any assistance will be greatly appreciated.
If you're sending via UDP, there is no way to tell from the Cribl side if the receiving end is working or not. With TCP Cribl will know the status and indicate in the status flags in various places in the system.
Beyond the status flags for TCP-based syslog, I'd recommend running tcpdump on the target system to see if you're receiving connections from Cribl workers.
Thank you for the feedback .
That makes sense , UDP is connectionless indeed . But looking at Cribl I can see quite few indicators that would suggest that logs have been successfully transferred to the destination when that s not actually the case .
In my instance I have configured Cribl to send logs to an OnPrem log collector on port 1515 ( ALert Logic ) . All the port forwarding firewall configuration is in place .
As mentioned above when looking at charts , live capture , and monitoring screen for that destination I can see that some data activity from the various sources ( network devices syslog , Cribl Data Gen syslog ) but nothing is being received on the destination server . The 'Run Test" also comes as Success for that destination .
Any ideas where the issue might be ?
Thank you
Since UDP is connectionless, the only way to validate is to run tcpdump (or similar tool) on the receiving end. The sending side in a UDP convo has no idea if the receiving side got the data.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.