Issue with Ingesting events, audit, alerts to splunk - TCP connector - Syslog configuration

  • 13 March 2023
  • 6 replies

Userlevel 2
Badge +7

 Unable to find the events in splunk, we confirm that the host is reachable from commserve as well as the IP

Is there anything else that we must verify?

Also tried deploying a syslog server separately (enabling rsyslog), even there we were not able to find the logmonitor.log being sent.



6 replies

Userlevel 2
Badge +7

@alligator -  Did you have any issues setting up the secure communication between the commserve and splunk server? Is there a firewall in place that could be blocking communication?  


Commvault document for configuring syslog.


Userlevel 2
Badge +7

@NVFD411 there is no firewall enabled, also we are not using the secure messaging in our case. 

Yes,we followed the same document, some how we are  not able to identify the issue.


Userlevel 2
Badge +7

Please take a look at the EvmgrS and cvd logs for any errors.  Please post if any errors are found.


Userlevel 2
Badge +7


No 😔

I don’t see any errors reported on EvmgrS and cvd logs related to syslog 😓

I couldn’t find anything that relates to a syslog failure like

data sent was rejected by syslog or anything of that sort.


Userlevel 2
Badge +9


is this a Linux box and does it have SELinux enabled?

I ask because I faced an issue where SELinux blocked cv to read the log file. Upon further investigation, I discovered that SELinux was blocking the "LogMonitoring" . After adding "LogMonitoring" to the whitelist, the issue was resolved.

***audit.log cut***
type=AVC msg=audit(1679073616.118:7508): avc:  denied  { read } for  pid=13076 comm="LogMonitoring" name="audit.log" dev="dm-6" ino=5392 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file permissive=0

Userlevel 2
Badge +7

@DanC @NVFD411 

Atlast we were able to find the issue 😓


we were trying to get the data on TCP port , but this would only work with UDP.

after re-configuring the rsyslog with UDP its working, same when we configured UDP port on our splunk , we are able to see the events directly on splunk.

I hope the documentation would be modified accordingly.