https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85991#M17883 <P>Make sure your syslog daemon (or equivalent) it not listing on udp:514 as well. </P> Tue, 25 Jun 2013 16:30:07 GMT mlf 2013-06-25T16:30:07Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85986#M17878 <P>I have a UDP/514 Port setup in data inputs. i have a number of machines sending syslog data to this port however only certain applications show up in splunk. the rest never get there. Is there any kind of log that would show what is happening? is splunk dropping the data. I see on wireshark that the data leaves the sending machine and i am aware that UDP does not ensure delivery but i would expect at least one or two packets to make it?</P> <P>Any ideas why this would be?</P> Wed, 10 Oct 2012 13:39:29 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85986#M17878 deltamph 2012-10-10T13:39:29Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85987#M17879 <P>Have you run a tcpdump/wireshark on the machine running Splunk?</P> <P>Have you confirmed the end-to-end connectivity from each host? - it is common that a firewall would block some connections but not others depending on legacy rules</P> Wed, 10 Oct 2012 13:49:27 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85987#M17879 MHibbin 2012-10-10T13:49:27Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85988#M17880 <P>i have run wireshark on the sending computer and verified the packets at least leave the computer. </P> <P>i will see about running a Dump on the splunk machine to see if i receive it.</P> Wed, 10 Oct 2012 14:06:33 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85988#M17880 deltamph 2012-10-10T14:06:33Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85989#M17881 <P>Please check 3 things (if you are on linux)</P> <UL> <LI>verify that splunk run as root, otherwise he will not be able to open port under 1024 (reserved to root only)</LI> <LI>use netstat with options to verify that splunk is the process listening to UDP 514</LI> <LI>if your events are coming from another subnet, see <A href="http://splunk-base.splunk.com/answers/12876/splunk-running-on-my-linux-server-is-only-showing-me-events-from-my-local-subnet-what-is-going-on">http://splunk-base.splunk.com/answers/12876/splunk-running-on-my-linux-server-is-only-showing-me-events-from-my-local-subnet-what-is-going-on</A></LI> </UL> Wed, 10 Oct 2012 14:20:17 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85989#M17881 yannK 2012-10-10T14:20:17Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85990#M17882 <UL> <LI>Splunk is running as root. we have other apps that work send to udp/514 and they are showing up in splunk.</LI> <LI>Splunk is listening on 514 as some apps show up.</LI> <LI>I will check to see about the local subnet issue. Thanks</LI> </UL> Wed, 10 Oct 2012 14:27:53 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85990#M17882 deltamph 2012-10-10T14:27:53Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85991#M17883 <P>Make sure your syslog daemon (or equivalent) it not listing on udp:514 as well. </P> Tue, 25 Jun 2013 16:30:07 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85991#M17883 mlf 2013-06-25T16:30:07Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85992#M17884 <P>can it be this problem with data spoofed from a different subnet ?<BR /> <A href="http://answers.splunk.com/answers/12876/splunk-running-on-my-linux-server-is-only-showing-me-events-from-my-local-subnet-what-is-going-on">http://answers.splunk.com/answers/12876/splunk-running-on-my-linux-server-is-only-showing-me-events-from-my-local-subnet-what-is-going-on</A></P> Fri, 08 Nov 2013 00:55:18 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85992#M17884 yannK 2013-11-08T00:55:18Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85993#M17885 <P>I have the same problem. Firewall on Splunk server is disabled, changed rp_filter to 0, I see the packets from both Cisco firewalls in tcpdump, but only see events from one firewall being indexed.</P> Wed, 18 May 2016 17:03:44 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Port-not-receiving-Data-from-All-Sources/m-p/85993#M17885 EdBruce 2016-05-18T17:03:44Z