topic Getting UDP data in Getting Data In

Getting UDP data

nikhil — Sat, 15 May 2021 14:43:28 GMT

Hi,

This is default standalone setup. I'm trying to get data in from a network device which sends data as syslog on UDP/5114.

I've configured the UDP/5114 on Splunk. Here are the screenshots of config.udp_data_input

udp_data_input_details

I've confirmed that splunk process is listening on port 5114

udp_listener

I've also confirmed that I'm getting data on host so no network routing or firewall issue. Bellow is a screenshot of MS Network monitor showing data received on port UDP/5114.

data_on_5114

Yet no data is coming in the splunk instance.no_events_in_splunk

Pls help resolve this.

Thanks & Regards.

Re: Getting UDP data

ITWhisperer — Sat, 15 May 2021 15:24:14 GMT

Have you considered using Splunk Connect for Syslog (SC4S)?

Re: Getting UDP data

nikhil — Sat, 15 May 2021 15:31:19 GMT

Considering now. Any comment on the mentioned config.? Is there anything I'm missing in config.? Or any other troubleshooting pointers.?

Thanks & Regards.

Re: Getting UDP data

nikhil — Sun, 16 May 2021 05:51:46 GMT

Hi,

Will SC4S(Splunk Connector for Syslog) be supported on my setup.? Do I need separate linux instance for the same.?

My Splunk Setup:

Splunk Enterprise Server 8.1.3

Windows, 8 GB Physical Memory, 2 CPU Cores

Mode: Standalone

Thanks & Regards

Re: Getting UDP data

nikhil — Tue, 18 May 2021 08:24:07 GMT

Hello Everyone,

Can anyone pls help on this.?

Thanks & Regards

Re: Getting UDP data

PickleRick — Tue, 18 May 2021 09:27:19 GMT

I'm not sure about MS Network Monitor (now deprecated btw) - never used it - but Wireshark, for example, just dumps packets from the network interface. Which doesn't mean that they don't get filtered on a host firewall afterwards.

Since you're using UDP which is stateless, connectionless and so on, unless you're actively denying the packets (sending ICMPs), there will be nothing on the network informing you whether the recipient received the packets correctly or not.

So I'd search the firewall rules again.

And two more remarks:

1) If possible, use TCP - it's much more reliable and less prone to event loss

2) Splunk's syslog inputs don't scale well so if you're planning on having big volumes of data ingested this way, consider other forms of providing the source data to Splunk - there are a few methods that can be used (for example - a syslog server writing to buffer file and UF reading that file or a syslog server receiving the events and pushing them to HEC input via HTTP).

But to have something to begin with Splunk's syslog inputs are OK.