topic iDRAC Firmware 5.0 syslogs not received from Splunk in Getting Data In

iDRAC Firmware 5.0 syslogs not received from Splunk

JMDEJESUS24 — Thu, 08 Aug 2024 03:56:17 GMT

We are able to perform a successful iDRAC syslog sent to Splunk for Firmware version 3.xx but when its Firmware version 5.xx, we aren't successful. Any chance that it is related to the firmware that I need to configure? Both configuration are the same and our log collector picks up an udp packets from the iDRACs.

Re: iDRAC Firmware 5.0 syslogs not received from Splunk

PickleRick — Thu, 08 Aug 2024 05:53:20 GMT

OK. We need more info.

"our log collector picks up an udp packets from the iDRACs." - does that mean that you can receive (how?) logs from the iDRACs but they don't get ingested into Splunk? Or does it mean that you get some other UDP packets (on different ports?) not your desired syslogs?

How did you verify it?

Re: iDRAC Firmware 5.0 syslogs not received from Splunk

JMDEJESUS24 — Sun, 11 Aug 2024 23:36:06 GMT

Hi @PickleRick, it receives the tcpdump connection showing the syslog activity and information whenever we log on, log off or send a test message from the iDRAC machine, but it is not ingested in Splunk and somehow it gets lost from the Log collector machine.

Re: iDRAC Firmware 5.0 syslogs not received from Splunk

PickleRick — Mon, 12 Aug 2024 13:17:33 GMT

OK. It's a start. So UDP packets are reaching your receiver box. What then? Are you trying to receive the data directly on your Splunk instance (or a forwarder)? Or are you using some intermediate syslog receiver like rsyslog or syslog-ng.

Did you check your local firewall?

If it's a linux box, did you verify rp_filter settings and routing?