All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Default port udp/513

timothy_e_rabor
Explorer
‎07-22-2015 01:35 PM

Is port udp/513 an absolute or is it just a matter of changing the stanza in the inputs.conf file? I run splunk as a non-root user so I can't configure it to listen on a port < 1024 (I realize too I can play around with some port redirection, but it seems simpler to just change the default port).

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-22-2015 02:10 PM 
[udp:<port>]
* This input stanza is same as [udp://<remote server>:<port>] but without any remote server restriction
* Please see the documentation for [udp://<remote server>:<port>] to follow supported settings:
connection_host = [ip|dns|none]
_rcvbuf = <integer>
no_priority_stripping = [true|false]
no_appending_timestamp = [true|false]
queueSize = <integer>[KB|MB|GB]
persistentQueueSize = <integer>[KB|MB|GB|TB]
listenOnIPv6 = <no | yes | only>
acceptFrom = <network_acl> ...

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

0 Karma
Reply

timothy_e_rabor
Explorer
‎07-23-2015 06:09 AM

The question isn't about inputs.conf. It's about the FortiOS 5 app itself. Documentation refers to using udp/513. I'm asking about using an alternate port for the app. Is changing the inputs.conf file all that is necessary. Will the app still function properly on an alternate port?

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-24-2015 11:55 AM

On Splunk side, it should not matter, but you would need to configure FortiOS to pump logs through the new port.

0 Karma
Reply

timothy_e_rabor
Explorer
‎07-27-2015 06:54 AM

I'm getting logs no problem. The Fortigate device is set to send logs to one of my heavy forwarders. HF is set to receive properly - logs are being indexed as sourcetype fortios5. That's all working fine.

However, no data is showing in the app itself. The only real deviation I've done is the alternate port. I wouldn't see how that would affect it otherwise if the data is being indexed as the expected sourcetype.

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-27-2015 04:00 PM

If it never worked, I would suggest looking at the app and object permissions.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...