https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350118#M64263 <P>I found the solution:</P> <OL> <LI>Port forwarding was not enabled for the interface. <A href="https://serverfault.com/questions/140622/how-can-i-port-forward-with-iptables">1</A></LI> <LI>The NAT-Rule was not saved. <A href="https://serverfault.com/questions/220586/howto-configure-opensuse-firewall-to-route-local-traffic-to-local-ports">2</A></LI> </OL> Tue, 24 Apr 2018 08:11:15 GMT chrisitanmoleck 2018-04-24T08:11:15Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350113#M64258 <P>Hello,</P> <P>we want to send syslog from cisco switches directly to the splunk indexer.<BR /> So I made a NAT from UDP 514 to 5447 and a new UPD data input (for 5447).</P> <P>Is it also neccessary to define these data at the inputs.conf of the indexer?</P> <P>Best Regards<BR /> Christian</P> Thu, 19 Apr 2018 07:04:40 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350113#M64258 chrisitanmoleck 2018-04-19T07:04:40Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350114#M64259 <P>You can refer below doc: </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/HowSplunkEnterprisehandlessyslogdata">http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/HowSplunkEnterprisehandlessyslogdata</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports">http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports</A></P> Thu, 19 Apr 2018 07:15:35 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350114#M64259 p_gurav 2018-04-19T07:15:35Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350115#M64260 <P>I think you would need to configure inputs.conf for port 5447 at the indexer.</P> <P>go to <CODE>/opt/splunk/bin/</CODE> on indexer and run this command.</P> <PRE><CODE> ./splunk add udp 5447 -sourcetype syslog </CODE></PRE> <P>Refer this doc for more <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports#Examples">https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports#Examples</A></P> <P>let me know if this helps!</P> Thu, 19 Apr 2018 07:17:27 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350115#M64260 mayurr98 2018-04-19T07:17:27Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350116#M64261 <P>Unfortunately it doesn't work.</P> <P>IP-Tables NAT: /usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 514 -j REDIRECT --to-ports 5447<BR /> Firewall entries for 5447 and 514</P> <P>Entry in $SPLUNK_HOME/etc/system/local/inputs.conf</P> <PRE><CODE>[udp://10.23.112.64:5447] disabled = false sourcetype = syslog index = switches </CODE></PRE> <P>This creates a new data input.</P> <P>I struggeling with your command, because the splunk running user has some security protection, so that I can't execute it.</P> <P>In metrics.log I have some of these entries: </P> <PRE><CODE>04-19-2018 13:43:59.762 +0200 INFO Metrics - group=udpin_connections, 10.23.112.64:5447, sourcePort=5447, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00 </CODE></PRE> <P>Otherwise I can't find any data in splunk to the switch.</P> Thu, 19 Apr 2018 11:46:28 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350116#M64261 chrisitanmoleck 2018-04-19T11:46:28Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350117#M64262 <P>Though you can syslog to indexers. Don’t. Send to a syslog server of your flavor and use a universal forwarder to pickup logs. </P> <P><A href="http://www.georgestarcher.com/splunk-success-with-syslog/">http://www.georgestarcher.com/splunk-success-with-syslog/</A></P> Fri, 20 Apr 2018 03:22:42 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350117#M64262 starcher 2018-04-20T03:22:42Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350118#M64263 <P>I found the solution:</P> <OL> <LI>Port forwarding was not enabled for the interface. <A href="https://serverfault.com/questions/140622/how-can-i-port-forward-with-iptables">1</A></LI> <LI>The NAT-Rule was not saved. <A href="https://serverfault.com/questions/220586/howto-configure-opensuse-firewall-to-route-local-traffic-to-local-ports">2</A></LI> </OL> Tue, 24 Apr 2018 08:11:15 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-switch-to-indexer/m-p/350118#M64263 chrisitanmoleck 2018-04-24T08:11:15Z