topic Re: Local or Domain in Getting Data In

Local or Domain

Jizbo — Sun, 04 Feb 2018 01:15:43 GMT

Hi, I've installed Splunk Enterprise on a standalone Win 10 box. I don't have active directory in my home. Installed Splink with Home Monitor as a local user. I want to read the Syslog from my Asus router. However, nothing is showing up in my dashboard. Yes, UDP 514 is allowed on Win 10 Box. Am I doing something wrong?

Re: Local or Domain

skoelpin — Sun, 04 Feb 2018 19:56:17 GMT

You should look at the internal Splunk logs for an error

index=_internal sourcetype=splunkd

Re: Local or Domain

Jizbo — Sun, 04 Feb 2018 23:52:07 GMT

No errors showing up. However, it appears all the entries are all from the splunk machine (Win 10 stand-alone box). I don't see any syslog entries coming in from my asus router.

Re: Local or Domain

dantimola — Mon, 05 Feb 2018 06:46:53 GMT

Have you already configured your router to send syslog to your machine?

Re: Local or Domain

Jizbo — Mon, 05 Feb 2018 11:41:59 GMT

Yes, my Asus router is set up to send logs to my Splunk box on UDP 514.

Re: Local or Domain

Elsurion — Mon, 05 Feb 2018 12:54:15 GMT

You are collecting data from the udp port? Just enabling on OS Level is not enough.
Check if you have an entry under Data Inputs -> UDP or check the inputs.conf file in (probably) etc/app/search/local
Entry should look alike:

[udp://514]
connection_host = dns
index = main
sourcetype = syslog

And check it with

index=main sourcetype=syslog

If any event shows up.

When nothing shows up, and you can send testevents from your router, trigger them to check their existents with all-time
If still nothing shows up, check the router log and on the commandline with netstat if the port ist open and a process is listening on it.

Re: Local or Domain

Jizbo — Tue, 29 Sep 2020 17:57:28 GMT

Here's my input.conf file:
[udp://514]disabled = 0
connection_host = IP
sourcetype=syslog
index = homemonitor
disabled = 1

Bandwidth Input for Linux Machines

[script://./bin/speedtest.sh]
interval = 1800.0
source=bandwidth_test
sourcetype = bandwidth_test
disabled = 1

Bandwidth Input for Windows Machines

Enable the Windows input manually, not through the setup.xml page.

[script://$SPLUNK_HOME\etc\apps\homemonitor\bin\speedtest.bat] disabled = 0
interval = 1800.00
source = bandwidth_test
sourcetype = bandwidth_test
disabled = 1

Re: Local or Domain

Elsurion — Mon, 05 Feb 2018 18:32:41 GMT

Ok remove all disabled = 1 in your inputs.conf, or at least by the [udp://514] input
disabled = 1 > means that this monitor/script is disabled and will be ignored.

also for the test if it will work, use index=main after the check you can use again the index=homemonitor since this index isn't installed by default.

For the rest define always a destination index with index = , that way you will find your data more easely

Re: Local or Domain

Jizbo — Mon, 05 Feb 2018 19:18:11 GMT

"No results found". Bummer, I was hoping this would work. Just to be clear, if I install Splunk as a local user, can I read data sent to it from my router, NAS, etc? I'm batting zero on why I cant get data feeds.

Re: Local or Domain

Elsurion — Tue, 06 Feb 2018 06:50:41 GMT

As long as this user is able to bind this port yes.

I don't know how Windows keeps track on the used ports but under Linux you'll need to be a higher privileged user to use any port under 1024. I'm using my own set of ports, since my user splunk is not privileged, That i can read normal syslog stuff i'm mapping the port 514 to a high port like 5514.
Most devices are able to use other ports then the 514, just as a side note.

Under Linux you could check if the udp port is listening this way

 netstat -uanc | grep 514

Under Windows it could be this command

netstat -p UDP

Also wireshark is also a valid option 🙂 udp.port == 514 ,there you can drive into the datastream. But you have to be a high priv user, since you have to bind the whole network device.

Re: Local or Domain

Jizbo — Wed, 07 Feb 2018 11:16:54 GMT

I'm at a loss. Any other ideas?

Re: Local or Domain

Elsurion — Thu, 08 Feb 2018 08:22:28 GMT

Did you try the netstat command i've written?

Re: Local or Domain

Jizbo — Fri, 09 Feb 2018 23:43:43 GMT

Strange,
on my windows box (running splunk) here's the output:

C:\WINDOWS\system32> netstat -p UDP

Active Connections

Proto Local Address Foreign Address State

C:\WINDOWS\system32>

Re: Local or Domain

Jizbo — Sat, 10 Feb 2018 00:17:57 GMT

UDP 0.0.0.0:514 :
UDP 0.0.0.0:3389 :
UDP 0.0.0.0:3702 :
UDP 0.0.0.0:3702 :
UDP 0.0.0.0:5050 :
UDP 0.0.0.0:5353 :
UDP 0.0.0.0:5355 :
UDP 0.0.0.0:65370 :
UDP 127.0.0.1:1900 :
UDP 127.0.0.1:50953 :
UDP 127.0.0.1:55277 :
UDP 192.168.1.100:137 :
UDP 192.168.1.100:138 :
UDP 192.168.1.100:1900 :
UDP 192.168.1.100:50952 :

Re: Local or Domain

Jizbo — Sat, 10 Feb 2018 14:08:41 GMT

On the foreign address of the netstat column, all my UDP ports end with . instead of a domain. Also the state column is empty (not listening or established).

Re: Local or Domain

Jizbo — Sat, 10 Feb 2018 14:10:00 GMT

netstat columns end with "start dot star" (apparently we are not allowed to post the real symbols on this forum)

Re: Local or Domain

Jizbo — Sat, 10 Feb 2018 14:11:15 GMT

Sorry, meant to say "star, colon, star"

Re: Local or Domain

Elsurion — Sun, 11 Feb 2018 12:47:31 GMT

Is the Output with the many Ports from your System?
At least this one is showing something on the 514 port.
Curious is that you don't get any plain foreign Adress and a State.
Like this one here:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:5514            0.0.0.0:*

It is taken by my Linux System.
I assume now that's the format it should be then under Windows, so you're basically open to the whole world with the 0.0.0.0:* (any:5514 from any:any), the any is basically every interface you have in your pc.
And i don't have any active Syslog Input into Splunk> at the moment.

When i just take the netstat -p UDP Output, then it sais that you don't have any connection up and running on the 514

One thing that i could suggest to check if the port is open, is with netcat (dunno if available for Windows)

13:44 elsurion@monsterine ✓ ~ $ nc -v -u -z -w 3 monsterine 4414
13:44 elsurion@monsterine ✓ ~ $ echo $?
1
13:44 elsurion@monsterine ✓ ~ $ nc -v -u -z -w 3 monsterine 5514
Connection to monsterine 5514 port [udp/*] succeeded!
13:44 elsurion@monsterine ✓ ~ $ echo $?
0
13:44 elsurion@monsterine ✓ ~ $

When it will work, ok.

When it still don't work, take another port > 1024 for this syslog input if your router supports it. Normaly it should be no problem setting up a listener on 514, but under Windows i don't know.

Re: Local or Domain

Jizbo — Sun, 11 Feb 2018 13:39:10 GMT

Thanks elsurion. Netcat does not work in windows.