topic Re: how to allow splunk to connect UDP 161 port in Linux? in Getting Data In

how to allow splunk to connect UDP 161 port in Linux?

cebo_myeza — Wed, 10 Jun 2015 02:39:17 GMT

i am working on a splunk project and i am using centos as my operating system, i just need help on how to allow only the SNMP monitoring server (SPLUNK) to connect to UDP 161 port in centos using CLI.

Re: how to allow splunk to connect UDP 161 port in Linux?

splunker12er — Wed, 10 Jun 2015 02:51:16 GMT

Add CLI inputs:

./splunk add udp 161 -sourcetype name_of_your_sourcetype

Add inputs via Splunkweb:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SyslogTCP

UDP

[udp://<remote server>:<port>]
<attrbute1> = <val1>
<attrbute2> = <val2>
...

This type of input stanza is similar to the TCP type, except that it listens on a UDP port.

Further reference:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SendSNMPeventstoSplunk

Re: how to allow splunk to connect UDP 161 port in Linux?

MuS — Wed, 10 Jun 2015 03:04:18 GMT

Hi cebo_myeza,

If you have Splunk installed with a non-root user on LINUX, you can´t listen to ports below 1024. But....there is a work around:

/usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 161 -j REDIRECT --to-ports 1161

The IPTABLES Firewall will route UDP from port 161 to port 1161.
It needs to be executed as root and your sys admin should make it boot able, so that this redirect is permanent and gets loaded after a system reboot.

Afterwards do this:

$SPLUNK_HOME/bin/splunk add udp 1161 -sourcetype snmp

Hope this helps ...

cheers, MuS

Re: how to allow splunk to connect UDP 161 port in Linux?

cebo_myeza — Wed, 10 Jun 2015 07:49:41 GMT

Hi MuS

Thanks for your time though.

i am little bit confused about the second part... add udp 1611 -sourcetype snmp, what is 1611 for?

thanks

Re: how to allow splunk to connect UDP 161 port in Linux?

yannK — Wed, 10 Jun 2015 11:11:31 GMT

This is if splunk service is not running as root, then it cannot open any ports under the 1-1024 range (reserved by root)
So a workaround is to use IPtables to map the port 161 to a port > 1024, like 1611

The second command is the splunk CLI command to add a new input on the new port.

Re: how to allow splunk to connect UDP 161 port in Linux?

s2_splunk — Wed, 10 Jun 2015 17:36:29 GMT

I think it's a typo, should be 1161, the port 161 gets redirected to.

Re: how to allow splunk to connect UDP 161 port in Linux?

MuS — Wed, 10 Jun 2015 19:46:35 GMT

HeHe, indeed it is a typo - corrected now. thanks for the hint 😉

Re: how to allow splunk to connect UDP 161 port in Linux?

cebo_myeza — Thu, 11 Jun 2015 01:07:16 GMT

thanks again for your time.

is it correct to use this even though i am running my splunk as root.

Re: how to allow splunk to connect UDP 161 port in Linux?

MuS — Thu, 11 Jun 2015 01:27:26 GMT

No, running Splunk as root should be fine. But if you cannot assign a port, it could be already open / in use.

Re: how to allow splunk to connect UDP 161 port in Linux?

cebo_myeza — Thu, 11 Jun 2015 02:22:43 GMT

hi
thanks for your help.

can you please explain this part for me

[udp://:]
=
=
...

where should i write this, what is it for?

Re: how to allow splunk to connect UDP 161 port in Linux?

splunker12er — Mon, 28 Sep 2020 20:13:05 GMT

Hello,

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/your_app/local

You can set any number of attributes , (please refer to the link, http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports) and values following an input type. If you do not specify a value for one or more attributes, Splunk uses the defaults that are preset in $SPLUNK_HOME/etc/system/default/ (noted below).

Re: how to allow splunk to connect UDP 161 port in Linux?

cebo_myeza — Thu, 11 Jun 2015 06:57:04 GMT

hello
if i try to add the port i get the following error:

[root@localhost bin]# ./splunk add udp 161 -sourcetype snmp
Splunk username: admin

Password:
Can't create directory "/root/.splunk": Permission denied
[root@localhost bin]#

please help

Re: how to allow splunk to connect UDP 161 port in Linux?

splunker12er — Thu, 11 Jun 2015 07:56:41 GMT

To use ./splunkyou should have to set environmental variables.

if you are using *nix operating systems, try setting up the env. variables.,

export SPLUNK_HOME=/opt/splunk
export PATH=$SPLUNK_HOME/bin:$PATH

OR else, you should directly add stanzas to inputs.conf something like this, via CLI

/opt/splunk/bin/splunk add 161 -sourcetype snmp

Re: how to allow splunk to connect UDP 161 port in Linux?

MuS — Thu, 11 Jun 2015 20:29:36 GMT

or do source /opt/splunk/bin/setSplunkEnv 😉

The problem here is, that the add-monitor script adds an authToken_servername_8089 to the normal user home directory, but owned by splunk:splunk,

So try something like this:

sudo ./splunk add monitor /var/log/

It should prompt you for root [sudo] password and then your splunk credentials that were set up.