topic Traffic getting to server, but not getting splunk'd. in Splunk Search

Traffic getting to server, but not getting splunk'd.

rblalock — Fri, 03 May 2013 15:44:27 GMT

I have an ASA firewall sending data to my splunk server (syslog port 514). When I run tcpdump...

tcpdump -i eth1 host 172.28.8.234 > test.txt

I get data dumped. It looks like...

11:15:53.627144 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 145
11:15:53.628353 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 146
11:15:53.629599 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 181

But when I search splunk for the ip 172.28.8.234, I get jack squat. What are some reasons splunk would not be logging this data? Splunk is listening on UDP port 514...

~# nmap -sU localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2013-05-03 11:20 EDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 998 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
514/udp open|filtered syslog

Re: Traffic getting to server, but not getting splunk'd.

yannK — Fri, 03 May 2013 15:46:51 GMT

check this answer to see if it applies to your case:

http://splunk-base.splunk.com/answers/12876/splunk-running-on-my-linux-server-is-only-showing-me-events-from-my-local-subnet-what-is-going-on

Re: Traffic getting to server, but not getting splunk'd.

Ayn — Fri, 03 May 2013 15:58:07 GMT

Also the data with sourcetype 'syslog' gets its host value from the host value specified in the events, which is not necessarily the same as the IP address of the host the events were received from.

Re: Traffic getting to server, but not getting splunk'd.

rblalock — Fri, 03 May 2013 17:52:05 GMT

Excellent. Thanks very much.