topic Re: Only one syslog shows up on server in Getting Data In

Only one syslog shows up on server

slacknetter — Thu, 07 Nov 2013 15:42:22 GMT

I have a new windows install and I can only get one syslog to show up. Any other devices I direct to send their logs do not show up.

Re: Only one syslog shows up on server

jtrucks — Thu, 07 Nov 2013 19:35:31 GMT

Can you elaborate? It is unclear with what you need help.

Re: Only one syslog shows up on server

slacknetter — Thu, 07 Nov 2013 19:39:32 GMT

The splunk server is on subnet 192.168.30.x
I added a pfsense at 192.168.30.254 and the logs show up
I try to add a dell switch from 192.168.30.1 and it does not show up
I try to add a pfsense from 192.168.20.254 and it doesn't show up (I assume I need a forwarder for this one?)

Re: Only one syslog shows up on server

yong_ly — Thu, 07 Nov 2013 21:06:20 GMT

How have you configured your settings? If you are doing it via a data stream, then there are three things that need to be done for it to work.

The syslog servers need to be configured to send data to a specific port on the Splunk machine e.g. TCP/5000
The splunk server needs to be configured to read that port and index the data. This can be found under inputs.
The firewalls between the machines must be configured to allow that data to flow through the TCP/UDP ports. This includes the local windows firewall too.

A quick google search for any of these things will give you the information you need to do that.

Similiar principles apply if you're using a forwarder.. except in step 1, the forwarder reads the syslog and forwards it instead of the machine directly sending it out as a syslog stream.

Re: Only one syslog shows up on server

slacknetter — Thu, 07 Nov 2013 21:13:44 GMT

I have setup a UDP syslog on port 514 on the splunk server and it is receiving data on that port from one device.
the second device is on the same subnet and it is still not showing up
the 3rd device is on the other side of a vpn and all ports and traffic UDP and TCP are allowed. all of my other services on all other devices and servers do not have any issues connecting over this link
firewall on the splunk server is off and there are also rules allowing all connections to udp port 514

Re: Only one syslog shows up on server

grijhwani — Thu, 07 Nov 2013 21:26:39 GMT

Are your routing tables on the devices generating the syslogs identical?

(PS: If you are using the native Splunk syslog server then you are not using syslog-ng.)

Re: Only one syslog shows up on server

yong_ly — Thu, 07 Nov 2013 21:31:51 GMT

I assume you've done a trace on both ends to make sure that the syslog data is being sent from the originating servers and being received on the splunk instance??

Is there another syslog daemon running on your splunk instance or another application using that port? If so then it's possible the syslogs coming int your machine are being aggregated into the local syslog..

I would suggest doing a netstat to make sure there's no other applications using that. Or changing to a different port above 1024..