Unable to find the events in splunk, we confirm that the host is reachable from commserve as well as the IP
Is there anything else that we must verify?
Also tried deploying a syslog server separately (enabling rsyslog), even there we were not able to find the logmonitor.log being sent.
Commvault document for configuring syslog.
https://documentation.commvault.com/2022e/essential/114237_configuring_syslog_server.html
Yes,we followed the same document https://documentation.commvault.com/2022e/essential/114237_configuring_syslog_server.html, some how we are not able to identify the issue.
Please take a look at the EvmgrS and cvd logs for any errors. Please post if any errors are found.
No 😔
I don’t see any errors reported on EvmgrS and cvd logs related to syslog 😓
I couldn’t find anything that relates to a syslog failure like
data sent was rejected by syslog or anything of that sort.
is this a Linux box and does it have SELinux enabled?
I ask because I faced an issue where SELinux blocked cv to read the log file. Upon further investigation, I discovered that SELinux was blocking the "LogMonitoring" . After adding "LogMonitoring" to the whitelist, the issue was resolved.
***audit.log cut***
type=AVC msg=audit(1679073616.118:7508): avc: denied { read } for pid=13076 comm="LogMonitoring" name="audit.log" dev="dm-6" ino=5392 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file permissive=0
Atlast we were able to find the issue 😓
we were trying to get the data on TCP port , but this would only work with UDP.
after re-configuring the rsyslog with UDP its working, same when we configured UDP port on our splunk , we are able to see the events directly on splunk.
I hope the documentation would be modified accordingly.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
