https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604189#M105085 <P>One more thing. You can't run input on port 514 if you run splunk with ordinary user (non-root). And running splunk as root is not something you should do.</P> Fri, 01 Jul 2022 21:40:50 GMT PickleRick 2022-07-01T21:40:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604163#M105079 <P>Hello Splunkers,</P> <P>Is a splunk forwarder required to send data to splunk from a switch or router?</P> <P>Can I configure the the device to send logs directly to the splunk like using port 514.</P> <P>Like in a cisco config - "logging host", etc</P> <P>&nbsp;</P> <P>Thanks</P> <P>EWH</P> Tue, 05 Jul 2022 16:14:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604163#M105079 eholz1 2022-07-05T16:14:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604174#M105081 <P>Hi,</P><P>it is possible to send directly to Splunk. You can set up input in Splunk (it would need to be either some kind of forwarder or indexer) to listen on a port. You can define it in GUI or in inputs.conf and it would look something like this. You can ommit the host and have it listen for any connection on a port.</P><PRE>[tcp://syslog.corp.example.net:514] sourcetype = cisco:ise index = cisco</PRE><P>On the network device, you would enter the IP address of the Splunk instance and whatever port you specified and you start receiving the data.</P><P>Keep in mind that it would be better to use a syslog server for this. Because when you restart the ingesting Splunk instance, you could start losing data. If you have multiple devices that you want to set up like this I would look at the SC4S project:&nbsp;<A href="https://splunk.github.io/splunk-connect-for-syslog/main/" target="_blank">https://splunk.github.io/splunk-connect-for-syslog/main/</A></P> Fri, 01 Jul 2022 20:28:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604174#M105081 smurf 2022-07-01T20:28:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604181#M105084 <P>gosh, why did I not think of that!! Been awhile since my splunk training!</P><P>&nbsp;</P><P>thanks!!</P><P>eholz1</P> Fri, 01 Jul 2022 21:16:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604181#M105084 eholz1 2022-07-01T21:16:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604189#M105085 <P>One more thing. You can't run input on port 514 if you run splunk with ordinary user (non-root). And running splunk as root is not something you should do.</P> Fri, 01 Jul 2022 21:40:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604189#M105085 PickleRick 2022-07-01T21:40:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604270#M105101 <P>To be more exact, you can not use any port below 1024 in Splunk if Splunk does not run as root user.</P><P>An you should NOT run Splunk as root.&nbsp; So have a look at my post here on how to install Splunk as non root user and use Rsyslog to get syslog data inn to Splunk.</P><P><A href="https://forum.mikrotik.com/viewtopic.php?p=888802#p888802" target="_blank">https://forum.mikrotik.com/viewtopic.php?p=888802#p888802</A></P> Sun, 03 Jul 2022 15:49:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-log-file-from-switch-router-directly-to-Splunk/m-p/604270#M105101 jotne 2022-07-03T15:49:40Z