topic Re: Splunk UDP Data Input Fails To Send Data in Getting Data In

Splunk UDP Data Input Fails To Send Data

leongchongyu — Tue, 29 Sep 2020 19:08:02 GMT

Hi everyone,

I am working on a school project where multiple batches of students will work on the same project and pass it to the next batch. For this project, I have to send logs from a Lexmark CX725 printer to an instance of Splunk Enterprise 6.6.3. In order to do so, I have a UDP data input on port 2048 and configured the Lexmark printer to send its security logs to the IP address of the virtual machine running the Splunk instance(172.xx.xxx.A), port 2048.

However, no data is being sent to the Splunk instance at all. I have examined the metrics.log file with the command:
$SPLUNK_HOME/bin/splunk search 'index=_internal source=*metrics.log* destHost | dedup destHost'

and come up with the following line, which is the only line of the output produced by the command:

04-17-2018 10:56:49.865 +0800 INFO StatusMgr - destHost=172.xx.xxx.B, destIp=172.xx.xxx.B, destPort=2048, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor

172.xx.xxx.B is, I believe, the IP address of the virtual machine used by the previous batch of students running this project. In contrast, the virtual machine I am using has the IP address 172.xx.xxx.A. I believe that this could be because I inherited the configuration set up by the previous batch of students.

I was wondering if anyone has any insights on what could have caused this mix-up and what I can do to fix it, or if it is even relevant to my connection issues at all. Thank you all very much in advance for your time!

Re: Splunk UDP Data Input Fails To Send Data

jconger — Wed, 18 Apr 2018 16:34:19 GMT

If you have access to the server running Splunk, I would make sure that 1) the server is listening on the port, and 2) you can send a UDP packet locally. Here's how from the command line:

Check that the port is listening:

netstat -an | grep 2048

Make sure you can send a UDP packet locally:

echo "Testing" > /dev/udp/127.0.0.1/2048

Run a search in Splunk looking for the data (Testing). Here is my search:

index=* "Testing"

Re: Splunk UDP Data Input Fails To Send Data

leongchongyu — Thu, 19 Apr 2018 01:45:39 GMT

Hey jconger, thank you for the prompt and extremely clear answer.

The results of the netstat command were:

udp 0 0 0.0.0.0:2048 0.0.0.0:*

udp 0 0 0.0.0.0:2048 0.0.0.0:*

udp6 0 0 :::2048 :::*

unix 3 [ ] STREAM CONNECTED 20486

But searching Splunk (Search and Reporting app, time range set to All Time) returned no results.

Re: Splunk UDP Data Input Fails To Send Data

jconger — Fri, 20 Apr 2018 18:08:33 GMT

Did you try manually sending a UDP packet via command line?

Re: Splunk UDP Data Input Fails To Send Data

woodcock — Sun, 22 Apr 2018 20:54:46 GMT

Whatever is acting as the forwarder (probably the printer itself) needs to be reconfigured to send to the correct IP Address. If you are using a Splunk intermediate, this will be in the outputs.conf file somewhere under $SPLUNK_HOME/etc/. It is probably directly on the printer itself. though.

Re: Splunk UDP Data Input Fails To Send Data

leongchongyu — Mon, 23 Apr 2018 01:16:22 GMT

Yes, I did, using the command you provided. After I pressed enter, it doesn't show any feedback, just a blank line. Then I searched using S&R and got nothing.

Re: Splunk UDP Data Input Fails To Send Data

leongchongyu — Tue, 29 Sep 2020 19:10:06 GMT

Missing or malformed messages.conf stanza for AUDIT:START_OF_EVENT_DROPS 4/21/2018, 6:18:29 PM

Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED__default-autolb-group_10 4/18/2018, 5:30:25 PM

I found these in the messages tab after I tried to search for the data. Is this indicative of something wrong?