User Logons not being reported

I have six RDSH servers running UberAgent. One of them (RDS1) does not appear to be sending user logon information to the User Logon Duration dashboard. User Logon Duration data for the other 5 servers is there. I have checked the uberAgent.log file on RDS1 and see the "ReceiverStatistics,Splunk;" line with "Events in queue: <0>". The "rejected from queue:" is always 0 as well.

In Splunk, I can see events when I search for: index=uberagent* host=RDS1

What should I check next? I'd really appreciate any help troubleshooting this issue. Thanks!


  • Avatar
    Martin Kretzschmar Official comment

    Hi Drew,

    For starters, I have a few questions:
    - Is the uberAgent version on your RDSH servers in sync with the version of your uberAgent Splunk apps?
    - Do all RDSH servers send their data directly to your Splunk indexer (cluster), or is there also a heavy forwarder in place?
    - Are all RDSH servers running the very same uberAgent configuration?

    Kind regards, Martin

  • 0
    Drew Hilliard

    Hi Martin,

    - The versions are in sync, all on version 6.1.1

    - All RDSH send directly to Splunk indexer. No heavy forwarder in place.

    - All RDSH servers are running the same configuration.

    Thanks for the quick response!

  • 0
    Martin Kretzschmar

    Thanks, Drew,

    I am forwarding this to our support system as we need to look into the log file, which contains sensitive information.

    As soon as the solution has been found, I will add it to this post.

Please sign in to leave a comment.