topic Re: How to confirm a udp input is running? in Getting Data In

How to confirm a udp input is running?

a212830 — Thu, 12 Oct 2017 12:56:49 GMT

Hi,

I'm having issues with what should be a very basic setup. I have an appliance sending syslog messages to a heavy forwarder, on port 514, using UDP. I've verified that the events are coming in via tcpdump. My inputs is setup to listen on port 514, and nothing else is listening on it, but the events are not appearing in the indexer. I've checked for all-time, and recent time, and manually send some events via netcat. I do not see anything in the logs indicating that splunk is even listening for this data. Should some message appear somewhere, indicating that it's listening on port 514, similar to how it shows what logs are being watched? The HFW can talk to the indexer, as internal events are appearing.

Inputs:

[udp://514]
connection_host = dns
index = main
sourcetype=syslog 
disabled = no
queueSize = 1KB

Re: How to confirm a udp input is running?

mattymo — Thu, 12 Oct 2017 13:43:03 GMT

is this HF on Centos or RHEL?? firewalld/iptables all good? also 514 is privileged, is Splunk root? might have to dance around that a bit

firewall-cmd --list-all

firewall-cmd --permanent --zone=public --add-port=514/udp

systemctl restart firewalld.service

Re: How to confirm a udp input is running?

a212830 — Thu, 12 Oct 2017 14:01:29 GMT

running as root. RH7.

Re: How to confirm a udp input is running?

mattymo — Thu, 12 Oct 2017 14:20:27 GMT

did you create a rule in firewalld for udp 514?

Re: How to confirm a udp input is running?

a212830 — Thu, 12 Oct 2017 14:43:54 GMT

It's udp, and I see the events coming in via tcpdump.

Re: How to confirm a udp input is running?

a212830 — Thu, 12 Oct 2017 14:48:54 GMT

But, yes, you are right. Firewalld is the culprit. Apparently it's enabled by default on RH7, but no RH6.

Thanks!

Re: How to confirm a udp input is running?

mattymo — Thu, 12 Oct 2017 14:51:00 GMT

nice! will update the answer with the command, was about to post it

Re: How to confirm a udp input is running?

mattymo — Thu, 12 Oct 2017 14:51:43 GMT

oops. updated. tcpdump is a good start but sees the packers before they are dropped.

Re: How to confirm a udp input is running?

sloshburch — Thu, 12 Oct 2017 16:37:12 GMT

ahem: Worst Practices...and How to Fix Them
Start at 3min in.

You know I'm always willing to give a good hassle to ya! 😉

Re: How to confirm a udp input is running?

mattymo — Thu, 12 Oct 2017 17:01:13 GMT

no doubt! @a212830, now that we got ya up and running, you will want to explore items like, not running splunk as root, using syslog receivers like rsyslog or syslog-ng to put data to disk and pick it up with a UF or check out options for scale using HEC!

http://conf.splunk.com/sessions/2017-sessions.html#search=HEC%20with%20syslog&

Re: How to confirm a udp input is running?

a212830 — Thu, 12 Oct 2017 23:44:09 GMT

Indeed! Actually, this isn't mine... a friend in another group was trying to get his data into a different BU's Splunk, and they weren't able to get it done, so he tried it, and I finished it for him. He's been advised not to run as root...