topic Re: Syslog from Firewall issue in Getting Data In

Syslog from Firewall issue

hartfoml — Wed, 18 Jan 2012 20:15:00 GMT

I asked my Firewall admin to change the port for syslog to the Splunk indexer.

He changed it from 514 to 1514.

He said he made the change but I am not seeing the incoming log data.

I'm sure the indexer host firewall port is open.

Where would I go to see what data is coming in on what port?

Does splunk tag the data with the indexer connection information?

Re: Syslog from Firewall issue

FunPolice — Thu, 19 Jan 2012 07:33:17 GMT

The low-impact way would be to get IP accounting or netflow data from any routers or switches between the firewall and your indexer.

Otherwise you could install packet capture software (Wireshark or Microsoft Network Monitor, for example) on your indexer and capture all of the traffic that's hitting its network port.

If you can get a SPAN port set up (it sends a copy of all traffic heading for one switch port to a second port) then you can install the packet capture software on any machine and avoid touching your indexer.

Re: Syslog from Firewall issue

hartfoml — Fri, 20 Jan 2012 20:08:47 GMT

Used the SoS app

This app will show you

S.o.S - Splunk on Splunk > Metrics > Incoming Network Throughput

this shows the network data comeing into splunk on what ports

After checking with my lunix admin and looking in SoS I confrunted the firewall guy and they did not make the change requiered.