https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93702#M19482 <P>Not sure but it works now. Could have been just going over steps needs to make this work.<BR /> thanks</P> <OL> <LI>configured iptables to take udp 514</LI> <LI>restarting iptables</LI> <LI>adding data input udp 514</LI> </OL> <P>BTW: i still don't see syslog "port 514" activity in the metrics.log but it works.</P> Fri, 11 Oct 2013 22:26:45 GMT fletch13 2013-10-11T22:26:45Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93694#M19474 <P>I've been reading and trying to figure this out. But i'm stomped.</P> <P>I configured a device to send syslog events to the splunk server via udp:514<BR /> i can see the traffic (on splunk server)with tcpdump port 514. I've tested this by trigger an event on the device and seeing the event on the splunk server (via tcpdump.</P> <P>./splunk list udp cli shows 514<BR /> I've tailed "metics.log" and i do not see the related syslog event getting there.</P> <P>Looks like everything is good. but nothing in searches or indexes.. <BR /> running splunk ver 6.</P> Thu, 10 Oct 2013 21:16:50 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93694#M19474 fletch13 2013-10-10T21:16:50Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93695#M19475 <P>How have you configured Splunk to listen on that port?</P> Thu, 10 Oct 2013 22:00:43 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93695#M19475 lukejadamec 2013-10-10T22:00:43Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93696#M19476 <P>Disable your firewall. And/or add rules to allow UDP/514.</P> <P>Using tcpdump is a great test, but it is misleading with UDP packets. The libpcap libraries sit in the network stack below iptables. So it is entirely possible that you will see a packet arrive with tcpdump and it will be dropped by iptables before it makes it to the process. And because it's UDP there is no broken session setup to observe.</P> Fri, 11 Oct 2013 05:32:17 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93696#M19476 dwaddle 2013-10-11T05:32:17Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93697#M19477 <P>Dwaddle nailed it, but I'd also check to see if another process, like syslog or syslog-ng, is already using UDP 514.</P> <PRE><CODE>lsof -i :514 </CODE></PRE> Fri, 11 Oct 2013 17:17:55 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93697#M19477 twinspop 2013-10-11T17:17:55Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93698#M19478 <P>yes. Splunk has been configured to listen to udp 514</P> Fri, 11 Oct 2013 17:38:12 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93698#M19478 fletch13 2013-10-11T17:38:12Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93699#M19479 <P>okay. i double checked and iptables files is configured to accept port 514. plus restarted iptables.<BR /> -A INPUT -p udp -m udp --dport 514 -j ACCEPT</P> Fri, 11 Oct 2013 17:43:22 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93699#M19479 fletch13 2013-10-11T17:43:22Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93700#M19480 <P>i did have rsyslog running. i kill it and still not seeing my udp traffic in the metrics.log</P> Fri, 11 Oct 2013 17:51:38 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93700#M19480 fletch13 2013-10-11T17:51:38Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93701#M19481 <P>Did you restart Splunk after? It won't dynamically re-try the port. A restart will be needed.</P> Fri, 11 Oct 2013 20:25:20 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93701#M19481 twinspop 2013-10-11T20:25:20Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93702#M19482 <P>Not sure but it works now. Could have been just going over steps needs to make this work.<BR /> thanks</P> <OL> <LI>configured iptables to take udp 514</LI> <LI>restarting iptables</LI> <LI>adding data input udp 514</LI> </OL> <P>BTW: i still don't see syslog "port 514" activity in the metrics.log but it works.</P> Fri, 11 Oct 2013 22:26:45 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93702#M19482 fletch13 2013-10-11T22:26:45Z https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93703#M19483 <P>Redirects 514 to 5514 in this example.</P> <P>Poke hole in iptables to allow web-configuration and the listener ports </P> <P>Redirect for port 515 up to 5514 which we are listening on (be sure to "service iptables save" after modifying iptables, or modify etc/sysconfig/iptables directly)</P> <P><CODE>iptables -I INPUT -p tcp --dport 8000 -j ACCEPT</CODE></P> <P><CODE>iptables -I INPUT -p tcp --dport 5514 -j ACCEPT</CODE></P> <P><CODE>iptables -t nat -A PREROUTING -d MY.IP -p tcp -m tcp --dport 514 -j DNAT --to-destination MY.IP:5514</CODE></P> <P><CODE>iptables -t nat -A PREROUTING -d MY.IP -p udp -m udp --dport 514 -j DNAT --to-destination MY.IP:5514</CODE></P> Wed, 02 Jul 2014 01:02:10 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-Splunk-to-work-with-Syslog-UDP-514/m-p/93703#M19483 mcronkrite 2014-07-02T01:02:10Z