Troubleshoot Syslog consumption Skip Navigation

Troubleshoot Syslog consumption

Troubleshoot the
Syslog data if the dashboards do not populate.
  1. If in a distributed
    environment, ensure that you are configuring syslog consumption on the Forwarder and that the
    environment is running version 6.2 or higher.
  2. Ensure the latest version of the app is installed on the
    Search Head. Ensure the matching version of the TA is installed on Indexers and Forwarder.
    If the Threat Data Report (TDR) is desired, a Heavy Forwarder will be required due to scripted inputs.
  3. Ensure the index name is either
    (preferred) or
    to match the inputs.conf file.
  4. Ensure the incoming sourcetype defined in inputs.conf is
  5. Ensure eventtypes.conf has not been altered since this populates the dashboards. Then ensure that the macro cylance_index has not been altered as this needs to search the index that contains
    data – usually cylance_protect or protect.
  6. Go to
    search box, select All Time, then type:
    eventtype=cylance_index sourcetype=syslog*
    If no data is returned (example: no results found for this particular query):
    1. Click Test Connection hyperlink in the
      tenant. You should see Test Connection Successful.
    2. Ensure port is open to receive syslog data. For example, assuming 6514 is being used,
      netstat – an | grep 6514
    3. Ensure no network or host firewalls are blocking traffic. Layer 7 firewalls may need to be told to expect TLS/SSL traffic.
    • Use a packet sniffer such as Wireshark to verify the connection is made and data is passed.
    • If using a syslog daemon to write the data to a file first, ensure data is being written to the file.
    • Go to
      search box select All Time, then type:
      eventtype=cylance_index sourcetype=syslog*
    If data is returned but is illegible (example: boxes instead of text):
    1. Ensure TLS matches in tenant and
      . For example: TLS/SSL checkbox is checked in the
      tenant and tcp-ssl is used in the Splunk inputs.conf file.
    If only syslog_protect data is returned and no other sourcetype (examples: syslog_app_control, syslog_audit_log, or syslog_devices):
    1. Ensure the app is installed on the forwarder and search head so the props.conf and transforms.conf take effect and properly rename
      to another sourcetype name, based on the content of the event.