topic syslog data on udp port is showing as zero bytes in Splunk in Getting Data In https://community.splunk.com/t5/Getting-Data-In/syslog-data-on-udp-port-is-showing-as-zero-bytes-in-Splunk/m-p/395772#M70572 <P>Hi Splunk experts, </P> <P>I ran into a strange situation in Splunk wherein udp connections but data size is zero.</P> <P>Just to give you a background of what i am trying to do and how.</P> <P>I am using Splunk in our organisation and currently working on creating a solution to integrate syslogs/event logs from network appliances (Cisco ASA, Fe big IP), Checkpoint etc) in Splunk.<BR /> Our setup includes, heavy forwarders which receives syslogs from network appliances and then HF sends that data to indexers. On HFs, we have redirected data coming on UDP 514 port to 1514 using iptables. Also, I have created inputs.conf file for all network appliances on the HF side. <STRONG>Example inputs.conf file is:</STRONG></P> <P>[udp://XX.YY.ZZ.AA:1514]<BR /> index=test<BR /> source=udp:514<BR /> sourcetype=qos_syslog<BR /> connection_host=ip<BR /> disabled=false</P> <P><STRONG>IP tables on HF side looks like below</STRONG>:</P> <P>Table: filter<BR /> Chain INPUT (policy ACCEPT)<BR /> num target prot opt source destination<BR /> 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1514<BR /> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2514<BR /> 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1514<BR /> 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514<BR /> 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9997<BR /> 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000<BR /> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22<BR /> 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:514<BR /> 9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2514</P> <P>Chain FORWARD (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>Chain OUTPUT (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>Table: nat<BR /> Chain PREROUTING (policy ACCEPT)<BR /> num target prot opt source destination<BR /> 1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:514 redir ports 1514<BR /> 2 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514 redir ports 1514</P> <P>Chain POSTROUTING (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>Chain OUTPUT (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>When i am running an search on Search head (or checking the HF logs in HF), I can see that in "metrics.log", there are entries wherein it says that "group=udpin_connections, XX.YY.ZZ.AA:1514, sourcePort=1514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00" where XX.YY.ZZ.AA is the IP address if the network appliance. </P> <P><STRONG>Now, my questions are:</STRONG></P> <OL> <LI>Why I am getting all udp data as zero as per metrics logs? I have checked the index as well and I cannot see anything in it.</LI> <LI>Does that mean that connection with the network appliance is established (because i can see entry) in the metrics log? Does it rule out the possibility of any firewall blocks in between HF and network appliance?</LI> </OL> <P>Any help, guidance, suggestions on this issue is very much appreciated. I am running out of options now and the problem is still there. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Regards<BR /> Vikas</P> Tue, 29 Sep 2020 20:49:10 GMT vikasverma1985 2020-09-29T20:49:10Z syslog data on udp port is showing as zero bytes in Splunk https://community.splunk.com/t5/Getting-Data-In/syslog-data-on-udp-port-is-showing-as-zero-bytes-in-Splunk/m-p/395772#M70572 <P>Hi Splunk experts, </P> <P>I ran into a strange situation in Splunk wherein udp connections but data size is zero.</P> <P>Just to give you a background of what i am trying to do and how.</P> <P>I am using Splunk in our organisation and currently working on creating a solution to integrate syslogs/event logs from network appliances (Cisco ASA, Fe big IP), Checkpoint etc) in Splunk.<BR /> Our setup includes, heavy forwarders which receives syslogs from network appliances and then HF sends that data to indexers. On HFs, we have redirected data coming on UDP 514 port to 1514 using iptables. Also, I have created inputs.conf file for all network appliances on the HF side. <STRONG>Example inputs.conf file is:</STRONG></P> <P>[udp://XX.YY.ZZ.AA:1514]<BR /> index=test<BR /> source=udp:514<BR /> sourcetype=qos_syslog<BR /> connection_host=ip<BR /> disabled=false</P> <P><STRONG>IP tables on HF side looks like below</STRONG>:</P> <P>Table: filter<BR /> Chain INPUT (policy ACCEPT)<BR /> num target prot opt source destination<BR /> 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1514<BR /> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2514<BR /> 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1514<BR /> 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514<BR /> 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9997<BR /> 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000<BR /> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22<BR /> 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:514<BR /> 9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2514</P> <P>Chain FORWARD (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>Chain OUTPUT (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>Table: nat<BR /> Chain PREROUTING (policy ACCEPT)<BR /> num target prot opt source destination<BR /> 1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:514 redir ports 1514<BR /> 2 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514 redir ports 1514</P> <P>Chain POSTROUTING (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>Chain OUTPUT (policy ACCEPT)<BR /> num target prot opt source destination</P> <P>When i am running an search on Search head (or checking the HF logs in HF), I can see that in "metrics.log", there are entries wherein it says that "group=udpin_connections, XX.YY.ZZ.AA:1514, sourcePort=1514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00" where XX.YY.ZZ.AA is the IP address if the network appliance. </P> <P><STRONG>Now, my questions are:</STRONG></P> <OL> <LI>Why I am getting all udp data as zero as per metrics logs? I have checked the index as well and I cannot see anything in it.</LI> <LI>Does that mean that connection with the network appliance is established (because i can see entry) in the metrics log? Does it rule out the possibility of any firewall blocks in between HF and network appliance?</LI> </OL> <P>Any help, guidance, suggestions on this issue is very much appreciated. I am running out of options now and the problem is still there. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Regards<BR /> Vikas</P> Tue, 29 Sep 2020 20:49:10 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-data-on-udp-port-is-showing-as-zero-bytes-in-Splunk/m-p/395772#M70572 vikasverma1985 2020-09-29T20:49:10Z Re: syslog data on udp port is showing as zero bytes in Splunk https://community.splunk.com/t5/Getting-Data-In/syslog-data-on-udp-port-is-showing-as-zero-bytes-in-Splunk/m-p/553564#M91777 <P>Did you find the answer for this?</P> Fri, 28 May 2021 17:34:16 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-data-on-udp-port-is-showing-as-zero-bytes-in-Splunk/m-p/553564#M91777 Priyankakumari1 2021-05-28T17:34:16Z