topic Re: Why am I not getting syslogs on port 512? in Getting Data In

Why am I not getting syslogs on port 512?

tabbtharrington — Mon, 02 Apr 2018 14:46:10 GMT

I am new to Splunk and I have it installed on my PC at work. I have Aruba Clear Pass syslog target set to forward to my PC's IP on port 512, UDP.
Search field in Splunk is : source="udp:512" sourcetype="syslog". Not getting any results when I run a search.

I tried port 514, UDP as well and still getting nothing. Wondering if its an IOS version issue as I'm running Windows 7 on my PC?

Re: Why am I not getting syslogs on port 512?

s2_splunk — Mon, 02 Apr 2018 21:43:08 GMT

Do you have Windows firewall active and configured to allow 512/udp traffic to pass through?
Do you have a Splunk listener configured to listen on port 512?

Re: Why am I not getting syslogs on port 512?

chaker — Mon, 02 Apr 2018 21:53:50 GMT

If you are not running the Splunk process as "root" you will not be able to access port below 1024 on Linux systems.

On Windows, do a netstat -na and look for port 514 to be "listening"

Also, what is the destination index you have set for the syslog data? Have you tried index=* sourcetype="syslog" ?