https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748816#M119000 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;</P><P>I suspect the main reason for this is that 9514 is not a&nbsp;Privileged port, ie Splunk can mount it (ports &gt; 1024) without additional permissions. To mount a port &lt;1024 Splunk would require&nbsp;<SPAN>CAP_NET_BIND_SERVICE capability.</SPAN></P><P><SPAN>It is common practice for Splunk to listen to ports higher than 1024 for syslog, and people often prefix 514 with another number. Sometimes you will see multiples such as 7514,8514,9514 to receive traffic from different syslog sources.</SPAN></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Thu, 26 Jun 2025 16:38:10 GMT livehybrid 2025-06-26T16:38:10Z https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748812#M118998 <P>I came across in our repo a monitoring stanza for f5, which is&nbsp;[UDP://9514]. I wonder if there is any reason not to use syslog for this case, are there any limitations using syslog vs. direct UDP connection? Why would anybody bypass syslog?</P> Thu, 26 Jun 2025 16:23:30 GMT https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748812#M118998 danielbb 2025-06-26T16:23:30Z https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748816#M119000 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;</P><P>I suspect the main reason for this is that 9514 is not a&nbsp;Privileged port, ie Splunk can mount it (ports &gt; 1024) without additional permissions. To mount a port &lt;1024 Splunk would require&nbsp;<SPAN>CAP_NET_BIND_SERVICE capability.</SPAN></P><P><SPAN>It is common practice for Splunk to listen to ports higher than 1024 for syslog, and people often prefix 514 with another number. Sometimes you will see multiples such as 7514,8514,9514 to receive traffic from different syslog sources.</SPAN></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Thu, 26 Jun 2025 16:38:10 GMT https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748816#M119000 livehybrid 2025-06-26T16:38:10Z https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748817#M119001 <P>Adding on to&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>'s response, sending TCP/UDP directly to a Splunk instance is discouraged.&nbsp; The reason is any time that instance restarts data is lost.&nbsp; Also, the usual distance between the data source and Splunk increases the chances of UDP data getting dropped.</P> Thu, 26 Jun 2025 17:06:42 GMT https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748817#M119001 richgalloway 2025-06-26T17:06:42Z https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748822#M119004 <P>And, to add to already provided answers, there is no such thing as syslog meaning a strictly defined protocol. Syslog can mean many different things depending on context and it's definitely not limited to 514 port. It's a perfectly normal situation when "syslog" data is sent to another port.</P> Thu, 26 Jun 2025 17:45:02 GMT https://community.splunk.com/t5/Getting-Data-In/Why-for-f5-data-we-use-UDP-9514-instead-of-using-syslog/m-p/748822#M119004 PickleRick 2025-06-26T17:45:02Z