https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82179#M16982 <P>Yes I am able to get a connection to the ip:port combination.</P> Fri, 04 Oct 2013 02:23:46 GMT balcv 2013-10-04T02:23:46Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82175#M16978 <P>This is not a splunk specific question however it is very related and involves config of syslog on a linux host that will NOT send to my splunk server.</P> <P>I have a linux server running syslogd ver 1.4.1 and I have added a line to the syslog.conf file that has <EM>.</EM> @192.168.1.1:64514<BR /> (I use port 64514 due to a port conflict but it works). Keep in mind I have this working on other hosts.</P> <P>When I trigger an event I get nothing on Splunk. If I run a packet capture on the host I do not even see the packets attempting to leave. However, if I remove the port number (64514), I do see traffic leaving on port 514. </P> <P>Can anyone help with this problem?</P> Fri, 04 Oct 2013 00:18:41 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82175#M16978 balcv 2013-10-04T00:18:41Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82176#M16979 <P>Did you check netstat to see if the port you are trying to use is already in use?</P> Fri, 04 Oct 2013 00:29:21 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82176#M16979 lukejadamec 2013-10-04T00:29:21Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82177#M16980 <P>I have now checked and no, the port is not being used.</P> Fri, 04 Oct 2013 00:40:52 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82177#M16980 balcv 2013-10-04T00:40:52Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82178#M16981 <P>Can you check if you are able to connect to the ip port? You can do 'telnet 192.168.1.1 64514' or 'echo "test" | nc 192.168.1.1 64154'.</P> Fri, 04 Oct 2013 02:05:33 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82178#M16981 jkerai 2013-10-04T02:05:33Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82179#M16982 <P>Yes I am able to get a connection to the ip:port combination.</P> Fri, 04 Oct 2013 02:23:46 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82179#M16982 balcv 2013-10-04T02:23:46Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82180#M16983 <P>If this is close to the man page for your syslogd, it may not have support for logging to an alternate port: <A href="http://linux.die.net/man/8/syslogd">http://linux.die.net/man/8/syslogd</A></P> <P>I can recommend rsyslog as a very flexible alternative.</P> Sun, 06 Oct 2013 18:35:12 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82180#M16983 jspears 2013-10-06T18:35:12Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82181#M16984 <P>Thanks for that. I had "suspected" this was the case but could not see it documented but it does explain why it does not work. I'll go with rsyslog.</P> <P>Thanks</P> Sun, 06 Oct 2013 22:02:05 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82181#M16984 balcv 2013-10-06T22:02:05Z https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82182#M16985 <P>Hi Frnd,</P> <P>See here you have just mentioned the ipaddress of the other host in the syslog.conf file in which where your all logs that listening to the port 514 to be forwarded tell me that have you installed and configured the splunk on the 192.168.1.1 server?. </P> <P>inform me whether above my comments gave you an idea.</P> <P>Regards,<BR /> Aravinth </P> Fri, 01 Nov 2013 16:35:16 GMT https://community.splunk.com/t5/Getting-Data-In/Linux-Syslogd-Config/m-p/82182#M16985 aravm8 2013-11-01T16:35:16Z